Bump fast-xml-parser, @aws-sdk/client-s3 and @aws-sdk/client-sesv2

Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) to 5.3.4 and updates ancestor dependencies [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser), [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) and [@aws-sdk/client-sesv2](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-sesv2). These dependencies need to be updated together. Updates `fast-xml-parser` from 5.2.5 to 5.3.4 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.2.5...v5.3.4) Updates `@aws-sdk/client-s3` from 3.971.0 to 3.987.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.987.0/clients/client-s3) Updates `@aws-sdk/client-sesv2` from 3.946.0 to 3.987.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-sesv2/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.987.0/clients/client-sesv2) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.3.4 dependency-type: indirect - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.987.0 dependency-type: direct:production - dependency-name: "@aws-sdk/client-sesv2" dependency-version: 3.987.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Fix dynamic -> private import violations
2026-02-11 20:29:02 +00:00 · 2026-02-11 18:53:53 +00:00 · 2026-02-11 10:30:25 -08:00 · 2026-02-11 10:26:50 -08:00 · 2026-02-11 10:23:00 -08:00 · 2026-02-11 10:23:00 -08:00
361 changed files with 26225 additions and 13133 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -44,19 +44,9 @@ updates:
    schedule:
      interval: "daily"
    groups:
-      dev-patch-updates:
-        dependency-type: "development"
+      patch-updates:
        update-types:
          - "patch"
-      dev-minor-updates:
-        dependency-type: "development"
+      minor-updates:
        update-types:
          - "minor"
-      prod-patch-updates:
-        dependency-type: "production"
-        update-types:
-          - "patch"
-      prod-minor-updates:
-        dependency-type: "production"
-        update-types:
-          - "minor"
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -29,7 +29,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -264,7 +264,7 @@ jobs:
              shell: bash

            - name: Install Go
-              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
              with:
                  go-version: 1.24

@@ -329,20 +329,89 @@ jobs:
                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
              shell: bash

-            - name: Copy tag from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+            - name: Copy tags from Docker Hub to GHCR
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
              # Wait a bit for both architectures to be available in Docker Hub manifest
              env:
                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  set -euo pipefail
                  TAG=${{ env.TAG }}
-                  echo "Waiting for multi-arch manifest to be ready..."
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+
+                  echo "Waiting for multi-arch manifests to be ready..."
                  sleep 30
-                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
-                  skopeo copy --all --retry-times 3 \
-                    docker://$DOCKERHUB_IMAGE:$TAG \
-                    docker://$GHCR_IMAGE:$TAG
+
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      IS_RC="true"
+                  fi
+
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release detected - copying version-specific tags only"
+
+                      # SQLite OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:$TAG \
+                        docker://$GHCR_IMAGE:$TAG
+
+                      # PostgreSQL OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
+                        docker://$GHCR_IMAGE:postgresql-$TAG
+
+                      # SQLite Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
+                        docker://$GHCR_IMAGE:ee-$TAG
+
+                      # PostgreSQL Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
+                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
+                  else
+                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
+
+                      # SQLite OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:$TAG_SUFFIX
+                      done
+
+                      # PostgreSQL OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
+                      done
+
+                      # SQLite Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
+                      done
+
+                      # PostgreSQL Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
+                      done
+                  fi
+
+                  echo "All images copied successfully to GHCR!"
              shell: bash

            - name: Login to GitHub Container Registry (for cosign)
@@ -371,28 +440,125 @@ jobs:
                  issuer="https://token.actions.githubusercontent.com"
                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)

-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
-                    echo "Processing ${IMAGE}:${TAG}"
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      IS_RC="true"
+                  fi

-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
-                    REF="${IMAGE}@${DIGEST}"
-                    echo "Resolved digest: ${REF}"
+                  # Define image variants to sign
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release - signing version-specific tags only"
+                      IMAGE_TAGS=(
+                          "${TAG}"
+                          "postgresql-${TAG}"
+                          "ee-${TAG}"
+                          "ee-postgresql-${TAG}"
+                      )
+                  else
+                      echo "Regular release - signing all tags"
+                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                      IMAGE_TAGS=(
+                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
+                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
+                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
+                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
+                      )
+                  fi

-                    echo "==> cosign sign (keyless) --recursive ${REF}"
-                    cosign sign --recursive "${REF}"
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"

-                    echo "==> cosign sign (key) --recursive ${REF}"
-                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${BASE_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"

-                    echo "==> cosign verify (public key) ${REF}"
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"

-                    echo "==> cosign verify (keyless policy) ${REF}"
-                    cosign verify \
-                      --certificate-oidc-issuer "${issuer}" \
-                      --certificate-identity-regexp "${id_regex}" \
-                      "${REF}" -o text
+                      echo "==> cosign sign (key) --recursive ${REF}"
+                      cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                      # Retry wrapper for verification to handle registry propagation delays
+                      retry_verify() {
+                        local cmd="$1"
+                        local attempts=6
+                        local delay=5
+                        local i=1
+                        until eval "$cmd"; do
+                          if [ $i -ge $attempts ]; then
+                            echo "Verification failed after $attempts attempts"
+                            return 1
+                          fi
+                          echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
+                          sleep $delay
+                          i=$((i+1))
+                          delay=$((delay*2))
+                          # Cap the delay to avoid very long waits
+                          if [ $delay -gt 60 ]; then delay=60; fi
+                        done
+                        return 0
+                      }
+
+                      echo "==> cosign verify (public key) ${REF}"
+                      if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
+                        VERIFIED_INDEX=true
+                      else
+                        VERIFIED_INDEX=false
+                      fi
+
+                      echo "==> cosign verify (keyless policy) ${REF}"
+                      if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
+                        VERIFIED_INDEX_KEYLESS=true
+                      else
+                        VERIFIED_INDEX_KEYLESS=false
+                      fi
+
+                      # If index verification fails, attempt to verify child platform manifests
+                      if [ "${VERIFIED_INDEX}" != "true" ] || [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
+                        echo "Index verification not available; attempting child manifest verification for ${BASE_IMAGE}:${IMAGE_TAG}"
+                        CHILD_VERIFIED=false
+
+                        for ARCH in arm64 amd64; do
+                          CHILD_TAG="${IMAGE_TAG}-${ARCH}"
+                          echo "Resolving child digest for ${BASE_IMAGE}:${CHILD_TAG}"
+                          CHILD_DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${CHILD_TAG} | jq -r '.Digest' || true)"
+                          if [ -n "${CHILD_DIGEST}" ] && [ "${CHILD_DIGEST}" != "null" ]; then
+                            CHILD_REF="${BASE_IMAGE}@${CHILD_DIGEST}"
+                            echo "==> cosign verify (public key) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Public key verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Public key verification failed for child ${CHILD_REF}"
+                            fi
+
+                            echo "==> cosign verify (keyless policy) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Keyless verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Keyless verification failed for child ${CHILD_REF}"
+                            fi
+                          else
+                            echo "No child digest found for ${BASE_IMAGE}:${CHILD_TAG}; skipping"
+                          fi
+                        done
+
+                        if [ "${CHILD_VERIFIED}" != "true" ]; then
+                          echo "Failed to verify index and no child manifests verified for ${BASE_IMAGE}:${IMAGE_TAG}"
+                          exit 10
+                        fi
+                      fi
+
+                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                    done
                  done
+
+                  echo "All images signed and verified successfully!"
              shell: bash

    post-run:
@@ -410,7 +576,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
--- a/.github/workflows/cicd.yml.backup
+++ b/.github/workflows/cicd.yml.backup
@@ -0,0 +1,426 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Install Go
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+              shell: bash
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Waiting for multi-arch manifest to be ready..."
+                  sleep 30
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,9 +24,9 @@ jobs:
              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

            - name: Set up Node.js
-              uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
              with:
-                node-version: '22'
+                node-version: '24'

            - name: Install dependencies
              run: npm ci
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,9 +17,9 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
-          node-version: '22'
+          node-version: '24'

      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
@@ -34,7 +34,7 @@ jobs:
        run: npm run set:oss

      - name: Generate database migrations
-        run: npm run db:sqlite:generate
+        run: npm run db:generate

      - name: Apply database migrations
        run: npm run db:sqlite:push
@@ -64,9 +64,6 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Copy config file
-        run: cp config/config.example.yml config/config.yml
-
      - name: Build Docker image sqlite
        run: make dev-build-sqlite

@@ -76,8 +73,5 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Copy config file
-        run: cp config/config.example.yml config/config.yml
-
      - name: Build Docker image pg
        run: make dev-build-pg
--- a/.gitignore
+++ b/.gitignore
@@ -50,4 +50,5 @@ dynamic/
 *.mmdb
 scratch/
 tsconfig.json
-hydrateSaas.ts
+hydrateSaas.ts
+CLAUDE.md
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,13 +4,13 @@
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "[jsonc]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.json-language-features"
    },
    "[javascript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescript]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.typescript-language-features"
    },
    "[typescriptreact]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
@@ -19,4 +19,4 @@
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "editor.formatOnSave": true
-}
+}
--- a/62
+++ b/62
@@ -5,7 +5,7 @@ WORKDIR /app
 ARG BUILD=oss
 ARG DATABASE=sqlite

-RUN apk add --no-cache curl tzdata python3 make g++
+RUN apk add --no-cache python3 make g++

 # COPY package.json package-lock.json ./
 COPY package*.json ./
@@ -13,41 +13,31 @@ RUN npm ci

 COPY . .

-RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
-RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts
-
-RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts
-
-# Copy the appropriate TypeScript configuration based on build type
-RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
-    elif [ "$BUILD" = "saas" ]; then cp tsconfig.saas.json tsconfig.json; \
-    elif [ "$BUILD" = "enterprise" ]; then cp tsconfig.enterprise.json tsconfig.json; \
-    fi
-
-# if the build is oss then remove the server/private directory
-RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi
-
-RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema --out init; fi
-
-RUN mkdir -p dist
-RUN npm run next:build
-RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
-RUN if [ "$DATABASE" = "pg" ]; then \
-    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
-    else \
-    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
-    fi
+RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
+    npm run set:$DATABASE && \
+    npm run set:$BUILD && \
+    npm run db:$DATABASE:generate && \
+    npm run build && \
+    npm run build:cli

 # test to make sure the build output is there and error if not
 RUN test -f dist/server.mjs

-RUN npm run build:cli
-
 # Prune dev dependencies and clean up to prepare for copy to runner
 RUN npm prune --omit=dev && npm cache clean --force

 FROM node:24-alpine AS runner

+# OCI Image Labels - Build Args for dynamic values
+ARG VERSION="dev"
+ARG REVISION=""
+ARG CREATED=""
+ARG LICENSE="AGPL-3.0"
+
+# Derive title and description based on BUILD type
+ARG IMAGE_TITLE="Pangolin"
+ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 WORKDIR /app

 # Only curl and tzdata needed at runtime - no build tools!
@@ -56,17 +46,31 @@ RUN apk add --no-cache curl tzdata
 # Copy pre-built node_modules from builder (already pruned to production only)
 # This includes the compiled native modules like better-sqlite3
 COPY --from=builder /app/node_modules ./node_modules
-
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
-COPY --from=builder /app/init ./dist/init
+COPY --from=builder /app/server/migrations ./dist/init
 COPY --from=builder /app/package.json ./package.json

 COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs

 COPY server/db/names.json ./dist/names.json
+COPY server/db/ios_models.json ./dist/ios_models.json
+COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public

+# OCI Image Labels
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.documentation="https://docs.pangolin.net" \
+      org.opencontainers.image.vendor="Fossorial" \
+      org.opencontainers.image.licenses="${LICENSE}" \
+      org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${REVISION}" \
+      org.opencontainers.image.created="${CREATED}"
+
 CMD ["npm", "run", "start"]
--- a/205
+++ b/205
@@ -3,6 +3,25 @@
 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)

+# OCI label variables
+CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
+
+# Common OCI build args for OSS builds
+OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg IMAGE_TITLE="Pangolin" \
+	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+# Common OCI build args for Enterprise builds
+OCI_ARGS_EE = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg LICENSE="Fossorial Commercial" \
+	--build-arg IMAGE_TITLE="Pangolin EE" \
+	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql

 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
@@ -15,6 +34,7 @@ build-sqlite:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
@@ -30,6 +50,7 @@ build-postgresql:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
@@ -45,6 +66,7 @@ build-ee-sqlite:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
@@ -60,6 +82,7 @@ build-ee-postgresql:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -67,6 +90,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .

+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag) \
+		--push .
+
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
@@ -74,9 +109,16 @@ build-release-arm:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:latest-arm64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
@@ -86,6 +128,11 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-latest-arm64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
@@ -95,6 +142,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-latest-arm64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
@@ -104,6 +157,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
@@ -118,9 +177,16 @@ build-release-amd:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:latest-amd64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
@@ -130,6 +196,11 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
@@ -139,6 +210,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest-amd64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
@@ -148,6 +225,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
@@ -201,27 +284,51 @@ build-rc:
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
@@ -231,27 +338,51 @@ build-rc-arm:
 		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
@@ -261,27 +392,51 @@ build-rc-amd:
 		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
@@ -314,16 +469,52 @@ create-manifests-rc:
 	echo "All RC multi-arch manifests created successfully!"

 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		-t fosrl/pangolin:latest .

 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		-t fosrl/pangolin:latest .

 dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:latest .

 dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:postgresql-latest .

 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest
--- a/README.md
+++ b/README.md
@@ -35,6 +35,12 @@

 </div>

+<p align="center">
+    <a href="https://docs.pangolin.net/careers/join-us">
+        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
+    </a>
+</p>
+
 <p align="center">
    <strong>
        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
@@ -74,6 +80,8 @@ Download the Pangolin client for your platform:
 - [Mac](https://pangolin.net/downloads/mac)
 - [Windows](https://pangolin.net/downloads/windows)
 - [Linux](https://pangolin.net/downloads/linux)
+- [iOS](https://pangolin.net/downloads/ios)
+- [Android](https://pangolin.net/downloads/android)

 ## Get Started

--- a/blueprint.py
+++ b/blueprint.py
@@ -1,72 +0,0 @@
-import requests
-import yaml
-import json
-import base64
-
-# The file path for the YAML file to be read
-# You can change this to the path of your YAML file
-YAML_FILE_PATH = 'blueprint.yaml'
-
-# The API endpoint and headers from the curl request
-API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
-HEADERS = {
-    'accept': '*/*',
-    'Authorization': 'Bearer <your_token_here>',
-    'Content-Type': 'application/json'
-}
-
-def convert_and_send(file_path, url, headers):
-    """
-    Reads a YAML file, converts its content to a JSON payload,
-    and sends it via a PUT request to a specified URL.
-    """
-    try:
-        # Read the YAML file content
-        with open(file_path, 'r') as file:
-            yaml_content = file.read()
-
-        # Parse the YAML string to a Python dictionary
-        # This will be used to ensure the YAML is valid before sending
-        parsed_yaml = yaml.safe_load(yaml_content)
-
-        # convert the parsed YAML to a JSON string
-        json_payload = json.dumps(parsed_yaml)
-        print("Converted JSON payload:")
-        print(json_payload)
-
-        # Encode the JSON string to Base64
-        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
-
-        # Create the final payload with the base64 encoded data
-        final_payload = {
-            "blueprint": encoded_json
-        }
-
-        print("Sending the following Base64 encoded JSON payload:")
-        print(final_payload)
-        print("-" * 20)
-
-        # Make the PUT request with the base64 encoded payload
-        response = requests.put(url, headers=headers, json=final_payload)
-
-        # Print the API response for debugging
-        print(f"API Response Status Code: {response.status_code}")
-        print("API Response Content:")
-        print(response.text)
-
-        # Raise an exception for bad status codes (4xx or 5xx)
-        response.raise_for_status()
-
-    except FileNotFoundError:
-        print(f"Error: The file '{file_path}' was not found.")
-    except yaml.YAMLError as e:
-        print(f"Error parsing YAML file: {e}")
-    except requests.exceptions.RequestException as e:
-        print(f"An error occurred during the API request: {e}")
-    except Exception as e:
-        print(f"An unexpected error occurred: {e}")
-
-# Run the function
-if __name__ == "__main__":
-    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
-
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -1,70 +0,0 @@
-client-resources:
-  client-resource-nice-id-uno:
-    name: this is my resource
-    protocol: tcp
-    proxy-port: 3001
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-  client-resource-nice-id-duce:
-    name: this is my resource
-    protocol: udp
-    proxy-port: 3000
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-
-proxy-resources:
-  resource-nice-id-uno:
-    name: this is my resource
-    protocol: http
-    full-domain: duce.test.example.com
-    host-header: example.com
-    tls-server-name: example.com
-    # auth:
-      # pincode: 123456
-      # password: sadfasdfadsf
-      # sso-enabled: true
-      # sso-roles:
-      #   - Member
-      # sso-users:
-      #   - owen@pangolin.net
-      # whitelist-users:
-      #   - owen@pangolin.net
-      # auto-login-idp: 1
-    headers:
-      - name: X-Example-Header
-        value: example-value
-      - name: X-Another-Header
-        value: another-value
-    rules:
-      - action: allow
-        match: ip
-        value: 1.1.1.1
-      - action: deny
-        match: cidr 
-        value: 2.2.2.2/32
-      - action: pass
-        match: path
-        value: /admin
-    targets:
-    - site: lively-yosemite-toad
-      path: /path
-      pathMatchType: prefix
-      hostname: localhost
-      method: http
-      port: 8000
-    - site: slim-alpine-chipmunk
-      hostname: localhost
-      path: /yoman
-      pathMatchType: exact
-      method: http
-      port: 8001
-  resource-nice-id-duce:
-    name: this is other resource
-    protocol: tcp
-    proxy-port: 3000
-    targets:
-    - site: lively-yosemite-toad 
-      hostname: localhost
-      port: 3000
--- a/cli/commands/clearLicenseKeys.ts
+++ b/cli/commands/clearLicenseKeys.ts
@@ -0,0 +1,36 @@
+import { CommandModule } from "yargs";
+import { db, licenseKey } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ClearLicenseKeysArgs = { };
+
+export const clearLicenseKeys: CommandModule<
+    {},
+    ClearLicenseKeysArgs
+> = {
+    command: "clear-license-keys",
+    describe:
+        "Clear all license keys from the database",
+    // no args
+    builder: (yargs) => {
+        return yargs;
+    },
+    handler: async (argv: {}) => {
+        try {
+
+            console.log(`Clearing all license keys from the database`);
+
+            // Delete all license keys
+            const deletedCount = await db
+                .delete(licenseKey)
+                .where(eq(licenseKey.licenseKeyId, licenseKey.licenseKeyId))  .returning();; // delete all
+
+            console.log(`Deleted ${deletedCount.length} license key(s) from the database`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/deleteClient.ts
+++ b/cli/commands/deleteClient.ts
@@ -0,0 +1,123 @@
+import { CommandModule } from "yargs";
+import { db, clients, olms, currentFingerprint, userClients, approvals } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+
+type DeleteClientArgs = {
+    orgId: string;
+    niceId: string;
+};
+
+export const deleteClient: CommandModule<{}, DeleteClientArgs> = {
+    command: "delete-client",
+    describe:
+        "Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.",
+    builder: (yargs) => {
+        return yargs
+            .option("orgId", {
+                type: "string",
+                demandOption: true,
+                describe: "The organization ID"
+            })
+            .option("niceId", {
+                type: "string",
+                demandOption: true,
+                describe: "The client niceId (identifier)"
+            });
+    },
+    handler: async (argv: { orgId: string; niceId: string }) => {
+        try {
+            const { orgId, niceId } = argv;
+
+            console.log(
+                `Deleting client with orgId: ${orgId}, niceId: ${niceId}...`
+            );
+
+            // Find the client
+            const [client] = await db
+                .select()
+                .from(clients)
+                .where(and(eq(clients.orgId, orgId), eq(clients.niceId, niceId)))
+                .limit(1);
+
+            if (!client) {
+                console.error(
+                    `Error: Client with orgId "${orgId}" and niceId "${niceId}" not found.`
+                );
+                process.exit(1);
+            }
+
+            const clientId = client.clientId;
+            console.log(`Found client with clientId: ${clientId}`);
+
+            // Find all OLMs associated with this client
+            const associatedOlms = await db
+                .select()
+                .from(olms)
+                .where(eq(olms.clientId, clientId));
+
+            console.log(`Found ${associatedOlms.length} OLM(s) associated with this client`);
+
+            // Delete in a transaction to ensure atomicity
+            await db.transaction(async (trx) => {
+                // Delete currentFingerprint entries for the associated OLMs
+                // Note: We delete these explicitly before deleting OLMs to ensure
+                // we have control, even though cascade would handle it
+                let fingerprintCount = 0;
+                if (associatedOlms.length > 0) {
+                    const olmIds = associatedOlms.map((olm) => olm.olmId);
+                    const deletedFingerprints = await trx
+                        .delete(currentFingerprint)
+                        .where(inArray(currentFingerprint.olmId, olmIds))
+                        .returning();
+                    fingerprintCount = deletedFingerprints.length;
+                }
+                console.log(`Deleted ${fingerprintCount} current fingerprint(s)`);
+
+                // Delete OLMs
+                // Note: OLMs have onDelete: "set null" for clientId, so we need to delete them explicitly
+                const deletedOlms = await trx
+                    .delete(olms)
+                    .where(eq(olms.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedOlms.length} OLM(s)`);
+
+                // Delete approvals
+                // Note: Approvals have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedApprovals = await trx
+                    .delete(approvals)
+                    .where(eq(approvals.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedApprovals.length} approval(s)`);
+
+                // Delete userClients
+                // Note: userClients have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedUserClients = await trx
+                    .delete(userClients)
+                    .where(eq(userClients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedUserClients.length} userClient association(s)`);
+
+                // Finally, delete the client itself
+                const deletedClients = await trx
+                    .delete(clients)
+                    .where(eq(clients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted client: ${deletedClients[0]?.name || niceId}`);
+            });
+
+            console.log("\nClient deletion completed successfully!");
+            console.log("\nSummary:");
+            console.log(`  - Client: ${niceId} (clientId: ${clientId})`);
+            console.log(`  - Olm(s): ${associatedOlms.length}`);
+            console.log(`  - Current fingerprints: deleted`);
+            console.log(`  - Approvals: deleted`);
+            console.log(`  - UserClients: deleted`);
+            console.log(`  - Snapshots: preserved (not deleted)`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error deleting client:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -6,6 +6,8 @@ import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 import { clearExitNodes } from "./commands/clearExitNodes";
 import { rotateServerSecret } from "./commands/rotateServerSecret";
+import { clearLicenseKeys } from "./commands/clearLicenseKeys";
+import { deleteClient } from "./commands/deleteClient";

 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -13,5 +15,7 @@ yargs(hideBin(process.argv))
    .command(resetUserSecurityKeys)
    .command(clearExitNodes)
    .command(rotateServerSecret)
+    .command(clearLicenseKeys)
+    .command(deleteClient)
    .demandCommand()
    .help().argv;
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -1,27 +1,30 @@
 # To see all available options, please visit the docs:
-# https://docs.pangolin.net/self-host/advanced/config-file
-
-app:
-  dashboard_url: http://localhost:3002
-  log_level: debug
-
-domains:
-  domain1:
-    base_domain: example.com
-
-server:
-  secret: my_secret_key
+# https://docs.pangolin.net/

 gerbil:
-  base_endpoint: example.com
+    start_port: 51820
+    base_endpoint: "{{.DashboardDomain}}"

-orgs:
-  block_size: 24
-  subnet_group: 100.90.137.0/20
+app:
+    dashboard_url: "https://{{.DashboardDomain}}"
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "{{.BaseDomain}}"
+
+server:
+    secret: "{{.Secret}}"
+    cors:
+        origins: ["https://{{.DashboardDomain}}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false

 flags:
-  require_email_verification: false
-  disable_signup_without_invite: true
-  disable_user_create_org: true
-  allow_raw_resources: true
-  enable_integration_api: true
+    require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true
--- a/config/traefik/dynamic_config.yml
+++ b/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,14 +17,16 @@ http:
        - web
      middlewares:
        - redirect-to-https
+        - badger

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
-      rule: "Host(`{{.DashboardDomain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
      service: next-service
-      priority: 10
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -28,9 +34,10 @@ http:
    api-router:
      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
      service: api-service
-      priority: 100
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -44,3 +51,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -3,32 +3,52 @@ api:
  dashboard: true

 providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
  file:
-    directory: "/var/dynamic"
-    watch: true
+    filename: "/etc/traefik/dynamic_config.yml"

 experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
-      version: "v1.3.0"
+      version: "{{.BadgerVersion}}"

 log:
-  level: "DEBUG"
+  level: "INFO"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true

+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
 entryPoints:
  web:
    address: ":80"
  websecure:
-    address: ":9443"
+    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true

 serversTransport:
  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
--- a/docker-compose.pgr.yml
+++ b/docker-compose.pgr.yml
@@ -7,8 +7,8 @@ services:
      POSTGRES_DB: postgres # Default database name
      POSTGRES_USER: postgres # Default user
      POSTGRES_PASSWORD: password # Default password (change for production!)
-    volumes:
-      - ./config/postgres:/var/lib/postgresql/data
+    # volumes:
+    #   - ./config/postgres:/var/lib/postgresql/data
    ports:
      - "5432:5432" # Map host port 5432 to container port 5432
    restart: no
--- a/drizzle.config.ts
+++ b/drizzle.config.ts
@@ -0,0 +1,14 @@
+import { defineConfig } from "drizzle-kit";
+import path from "path";
+
+const schema = [path.join("server", "db", "pg", "schema")];
+
+export default defineConfig({
+    dialect: "postgresql",
+    schema: schema,
+    out: path.join("server", "migrations"),
+    verbose: true,
+    dbCredentials: {
+        url: process.env.DATABASE_URL as string
+    }
+});
--- a/esbuild.mjs
+++ b/esbuild.mjs
@@ -6,6 +6,12 @@ import path from "path";
 import fs from "fs";
 // import { glob } from "glob";

+// Read default build type from server/build.ts
+let build = "oss";
+const buildFile = fs.readFileSync(path.resolve("server/build.ts"), "utf8");
+const m = buildFile.match(/export\s+const\s+build\s*=\s*["'](oss|saas|enterprise)["']/);
+if (m) build = m[1];
+
 const banner = `
 // patch __dirname
 // import { fileURLToPath } from "url";
@@ -37,7 +43,7 @@ const argv = yargs(hideBin(process.argv))
        describe: "Build type (oss, saas, enterprise)",
        type: "string",
        choices: ["oss", "saas", "enterprise"],
-        default: "oss"
+        default: build
    })
    .help()
    .alias("help", "h").argv;
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -43,9 +43,12 @@ entryPoints:
    http:
      tls:
        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true

 serversTransport:
  insecureSkipVerify: true

 ping:
-  entryPoint: "web"
+  entryPoint: "web"
--- a/install/containers.go
+++ b/install/containers.go
@@ -210,6 +210,47 @@ func isDockerRunning() bool {
 	return true
 }

+func isPodmanRunning() bool {
+	cmd := exec.Command("podman", "info")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+// detectContainerType detects whether the system is currently using Docker or Podman
+// by checking which container runtime is running and has containers
+func detectContainerType() SupportedContainer {
+	// Check if we have running containers with podman
+	if isPodmanRunning() {
+		cmd := exec.Command("podman", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Podman
+		}
+	}
+
+	// Check if we have running containers with docker
+	if isDockerRunning() {
+		cmd := exec.Command("docker", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Docker
+		}
+	}
+
+	// If no containers are running, check which one is installed and running
+	if isPodmanRunning() && isPodmanInstalled() {
+		return Podman
+	}
+
+	if isDockerRunning() && isDockerInstalled() {
+		return Docker
+	}
+
+	return Undefined
+}
+
 // executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
 func executeDockerComposeCommandWithArgs(args ...string) error {
 	var cmd *exec.Cmd
--- a/install/crowdsec.go
+++ b/install/crowdsec.go
@@ -93,7 +93,7 @@ func installCrowdsec(config Config) error {

 	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
 		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
-		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+		fmt.Printf("	%s exec crowdsec cscli bouncers add traefik-bouncer\n", config.InstallationContainerType)
 	}

 	return nil
@@ -117,7 +117,7 @@ func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
 	}

 	// Execute the command to get the API key
-	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	cmd := exec.Command(string(containerType), "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
 	var out bytes.Buffer
 	cmd.Stdout = &out

--- a/install/go.mod
+++ b/install/go.mod
@@ -3,8 +3,8 @@ module installer
 go 1.24.0

 require (
-	golang.org/x/term v0.38.0
+	golang.org/x/term v0.39.0
 	gopkg.in/yaml.v3 v3.0.1
 )

-require golang.org/x/sys v0.39.0 // indirect
+require golang.org/x/sys v0.40.0 // indirect
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,7 +1,7 @@
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/main.go
+++ b/install/main.go
@@ -6,7 +6,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"math/rand"
+	"crypto/rand"
+	"encoding/base64"
 	"net"
 	"net/http"
 	"net/url"
@@ -229,7 +230,16 @@ func main() {
 					}
 				}

-				config.InstallationContainerType = podmanOrDocker(reader)
+				// Try to detect container type from existing installation
+				detectedType := detectContainerType()
+				if detectedType == Undefined {
+					// If detection fails, prompt the user
+					fmt.Println("Unable to detect container type from existing installation.")
+					config.InstallationContainerType = podmanOrDocker(reader)
+				} else {
+					config.InstallationContainerType = detectedType
+					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
+				}

 				config.DoCrowdsecInstall = true
 				err := installCrowdsec(config)
@@ -286,10 +296,10 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			os.Exit(1)
 		}

-		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -300,7 +310,7 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 				// container low-range ports as unprivileged ports.
 				// Linux only.

-				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
 				    fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
@@ -340,7 +350,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")

-	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for persoal use or for businesses making less than 100k USD annually.")
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")

 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")

@@ -583,17 +593,12 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 }

 func generateRandomSecretKey() string {
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-	const length = 32
-
-	var seededRand *rand.Rand = rand.New(
-		rand.NewSource(time.Now().UnixNano()))
-
-	b := make([]byte, length)
-	for i := range b {
-		b[i] = charset[seededRand.Intn(len(charset))]
+	secret := make([]byte, 32)
+	_, err := rand.Read(secret)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to generate random secret key: %v", err))
 	}
-	return string(b)
+	return base64.StdEncoding.EncodeToString(secret)
 }

 func getPublicIP() string {
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -18,6 +18,8 @@
    "componentsMember": "Вие сте част от {count, plural, =0 {нула организации} one {една организация} other {# организации}}.",
    "componentsInvalidKey": "Засечен е невалиден или изтекъл лиценз. Проверете лицензионните условия, за да се възползвате от всички функционалности.",
    "dismiss": "Отхвърляне",
+    "subscriptionViolationMessage": "Превишихте ограничението на текущия си план. Коригирайте проблема, като премахнете сайтове, потребители или други ресурси, за да оставате в рамките на плана си.",
+    "subscriptionViolationViewBilling": "Преглед на фактурирането",
    "componentsLicenseViolation": "Нарушение на лиценза: Сървърът използва {usedSites} сайта, което надвишава лицензионния лимит от {maxSites} сайта. Проверете лицензионните условия, за да се възползвате от всички функционалности.",
    "componentsSupporterMessage": "Благодарим ви, че подкрепяте Pangolin като {tier}!",
    "inviteErrorNotValid": "Съжаляваме, но изглежда, че поканата, до която се опитвате да получите достъп, не е приета или вече не е валидна.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Свържете се с мрежа.",
    "sitesBannerDescription": "Сайтът е връзка с отдалечена мрежа, която позволява на Pangolin да предоставя достъп до ресурси, било то публични или частни, на потребители навсякъде. Инсталирайте мрежовия конектор на сайта (Newt) навсякъде, където можете да стартирате бинарен или контейнер, за да създадете връзката.",
    "sitesBannerButtonText": "Инсталиране на сайт.",
+    "approvalsBannerTitle": "Одобрете или откажете достъп до устройство",
+    "approvalsBannerDescription": "Прегледайте и одобрите или откажете искания за достъп до устройства от потребители. Когато се изисква одобрение на устройства, потребителите трябва да получат администраторско одобрение, преди техните устройства да могат да се свържат с ресурсите на вашата организация.",
+    "approvalsBannerButtonText": "Научете повече",
    "siteCreate": "Създайте сайт",
    "siteCreateDescription2": "Следвайте стъпките по-долу, за да създадете и свържете нов сайт",
    "siteCreateDescription": "Създайте нов сайт, за да започнете да свързвате ресурси",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Търсене на роли...",
    "accessRolesAdd": "Добавете роля",
    "accessRoleDelete": "Изтриване на роля",
+    "accessApprovalsManage": "Управление на одобрения",
+    "accessApprovalsDescription": "Прегледайте и управлявайте чакащи одобрения за достъп до тази организация",
    "description": "Описание",
    "inviteTitle": "Отворени покани",
    "inviteDescription": "Управлявайте покани за други потребители да се присъединят към организацията",
@@ -450,6 +457,18 @@
    "selectDuration": "Изберете продължителност",
    "selectResource": "Изберете Ресурс",
    "filterByResource": "Филтрирай По Ресурс",
+    "selectApprovalState": "Изберете състояние на одобрение",
+    "filterByApprovalState": "Филтрирайте по състояние на одобрение",
+    "approvalListEmpty": "Няма одобрения",
+    "approvalState": "Състояние на одобрение",
+    "approve": "Одобряване",
+    "approved": "Одобрен",
+    "denied": "Отказан",
+    "deniedApproval": "Одобрение е отказано",
+    "all": "Всички",
+    "deny": "Откажете",
+    "viewDetails": "Разгледай подробности",
+    "requestingNewDeviceApproval": "поискана нова устройство",
    "resetFilters": "Нулиране на Филтрите",
    "totalBlocked": "Заявки Блокирани От Pangolin",
    "totalRequests": "Общо Заявки",
@@ -729,16 +748,28 @@
    "countries": "Държави",
    "accessRoleCreate": "Създайте роля",
    "accessRoleCreateDescription": "Създайте нова роля за групиране на потребители и управление на техните разрешения.",
+    "accessRoleEdit": "Редактиране на роля",
+    "accessRoleEditDescription": "Редактирайте информацията за ролята.",
    "accessRoleCreateSubmit": "Създайте роля",
    "accessRoleCreated": "Ролята е създадена",
    "accessRoleCreatedDescription": "Ролята беше успешно създадена.",
    "accessRoleErrorCreate": "Неуспешно създаване на роля",
    "accessRoleErrorCreateDescription": "Възникна грешка при създаването на ролята.",
+    "accessRoleUpdateSubmit": "Обновете роля",
+    "accessRoleUpdated": "Ролята е актуализирана",
+    "accessRoleUpdatedDescription": "Ролята беше успешно актуализирана.",
+    "accessApprovalUpdated": "Одобрението е обработено",
+    "accessApprovalApprovedDescription": "Задайте решение на заявка за одобрение да бъде одобрено.",
+    "accessApprovalDeniedDescription": "Задайте решение на заявка за одобрение да бъде отказано.",
+    "accessRoleErrorUpdate": "Неуспешно актуализиране на ролята",
+    "accessRoleErrorUpdateDescription": "Възникна грешка при актуализиране на ролята.",
+    "accessApprovalErrorUpdate": "Неуспешно обработване на одобрение",
+    "accessApprovalErrorUpdateDescription": "Възникна грешка при обработване на одобрението.",
    "accessRoleErrorNewRequired": "Нова роля е необходима",
    "accessRoleErrorRemove": "Неуспешно премахване на роля",
    "accessRoleErrorRemoveDescription": "Възникна грешка при премахването на роля.",
    "accessRoleName": "Име на роля",
-    "accessRoleQuestionRemove": "Ще изтриете ролята {name}. Не можете да отмените това действие.",
+    "accessRoleQuestionRemove": "Ще изтриете ролята `{name}`. Не можете да отмените това действие.",
    "accessRoleRemove": "Премахни роля",
    "accessRoleRemoveDescription": "Премахни роля от организацията",
    "accessRoleRemoveSubmit": "Премахни роля",
@@ -874,7 +905,7 @@
    "inviteAlready": "Изглежда, че сте били поканени!",
    "inviteAlreadyDescription": "За да приемете поканата, трябва да влезете или да създадете акаунт.",
    "signupQuestion": "Вече имате акаунт?",
-    "login": "Влизане",
+    "login": "Вход",
    "resourceNotFound": "Ресурсът не е намерен",
    "resourceNotFoundDescription": "Ресурсът, който се опитвате да достъпите, не съществува.",
    "pincodeRequirementsLength": "ПИН трябва да бъде точно 6 цифри",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Тази организация изисква да сменяте паролата си на всеки {maxDays} дни.",
    "changePasswordNow": "Сменете паролата сега",
    "pincodeAuth": "Код на удостоверителя",
-    "pincodeSubmit2": "Изпрати код",
+    "pincodeSubmit2": "Изпратете кода",
    "passwordResetSubmit": "Заявка за нулиране",
    "passwordResetAlreadyHaveCode": "Въведете код.",
    "passwordResetSmtpRequired": "Моля, свържете се с вашия администратор",
    "passwordResetSmtpRequiredDescription": "Кодът за нулиране на парола е задължителен за нулиране на паролата ви. Моля, свържете се с вашия администратор за помощ.",
    "passwordBack": "Назад към Парола",
-    "loginBack": "Връщане към вход",
+    "loginBack": "Върнете се на главната страница за вход",
    "signup": "Регистрация",
    "loginStart": "Влезте, за да започнете",
    "idpOidcTokenValidating": "Валидиране на OIDC токен",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Актуализиране на IdP организация",
    "actionCreateClient": "Създаване на клиент",
    "actionDeleteClient": "Изтриване на клиент",
+    "actionArchiveClient": "Архивиране на клиента",
+    "actionUnarchiveClient": "Разархивиране на клиента",
+    "actionBlockClient": "Блокиране на клиента",
+    "actionUnblockClient": "Деблокиране на клиента",
    "actionUpdateClient": "Актуализиране на клиент",
    "actionListClients": "Списък с клиенти",
    "actionGetClient": "Получаване на клиент",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Търсене...",
    "create": "Създаване",
    "orgs": "Организации",
-    "loginError": "Възникна грешка при влизане",
-    "loginRequiredForDevice": "Необходим е вход за удостоверяване на вашето устройство.",
+    "loginError": "Възникна неочаквана грешка. Моля, опитайте отново.",
+    "loginRequiredForDevice": "Необходим е вход за вашето устройство.",
    "passwordForgot": "Забравена парола?",
    "otpAuth": "Двуфакторно удостоверяване",
    "otpAuthDescription": "Въведете кода от приложението за удостоверяване или един от вашите резервни кодове за еднократна употреба.",
    "otpAuthSubmit": "Изпрати код",
    "idpContinue": "Или продължете със",
-    "otpAuthBack": "Назад към Вход",
+    "otpAuthBack": "Назад към парола",
    "navbar": "Навигационно меню",
    "navbarDescription": "Главно навигационно меню за приложението",
    "navbarDocsLink": "Документация",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Общ преглед",
    "sidebarHome": "Начало",
    "sidebarSites": "Сайтове",
+    "sidebarApprovals": "Заявки за одобрение",
    "sidebarResources": "Ресурси",
    "sidebarProxyResources": "Публично",
    "sidebarClientResources": "Частно",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Идентификационни доставчици",
    "sidebarLicense": "Лиценз",
    "sidebarClients": "Клиенти",
-    "sidebarUserDevices": "Потребители",
+    "sidebarUserDevices": "Устройства на потребителя",
    "sidebarMachineClients": "Машини",
    "sidebarDomains": "Домейни",
    "sidebarGeneral": "Управление.",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Възникна грешка при създаване на админ акаунт.",
    "certificateStatus": "Статус на сертификата",
    "loading": "Зареждане",
+    "loadingAnalytics": "Зареждане на анализи",
    "restart": "Рестарт",
    "domains": "Домейни",
    "domainsDescription": "Създайте и управлявайте наличните домейни в организацията",
@@ -1304,6 +1341,7 @@
    "refreshError": "Неуспешно обновяване на данни",
    "verified": "Потвърдено",
    "pending": "Чакащо",
+    "pendingApproval": "Очаква одобрение",
    "sidebarBilling": "Фактуриране",
    "billing": "Фактуриране",
    "orgBillingDescription": "Управлявайте информацията за плащане и абонаментите",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Преглед на лимитите за използване",
    "billingMonitorUsage": "Следете своята употреба спрямо конфигурираните лимити. Ако имате нужда от увеличаване на лимитите, моля свържете се с нас support@pangolin.net.",
    "billingDataUsage": "Използване на данни",
-    "billingOnlineTime": "Време на работа на сайта",
-    "billingUsers": "Активни потребители",
-    "billingDomains": "Активни домейни",
-    "billingRemoteExitNodes": "Активни самостоятелно хоствани възли",
+    "billingSites": "Сайтове",
+    "billingUsers": "Потребители",
+    "billingDomains": "Домейни",
+    "billingRemoteExitNodes": "Дистанционни възли",
    "billingNoLimitConfigured": "Няма конфигуриран лимит",
    "billingEstimatedPeriod": "Очакван период на фактуриране",
    "billingIncludedUsage": "Включено използване",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Неуспех при получаване на URL на портала",
    "billingPortalError": "Грешка в портала",
    "billingDataUsageInfo": "Таксува се за всички данни, прехвърляни през вашите защитени тунели, когато сте свързани към облака. Това включва както входящия, така и изходящия трафик за всички ваши сайтове. Когато достигнете лимита си, вашите сайтове ще бъдат прекъснати, докато не надстроите плана или не намалите използването. Данните не се таксуват при използване на възли.",
-    "billingOnlineTimeInfo": "Таксува се на база колко време вашите сайтове остават свързани с облака. Пример: 44,640 минути се равняват на един сайт работещ 24/7 за цял месец. Когато достигнете лимита си, вашите сайтове ще бъдат прекъснати, докато не надстроите плана или не намалите използването. Времето не се таксува при използване на възли.",
-    "billingUsersInfo": "Таксува се всеки потребител в организацията. Таксуването се изчислява ежедневно въз основа на броя на активните потребителски акаунти във вашата организация.",
-    "billingDomainInfo": "Таксува се всеки домейн в организацията. Таксуването се изчислява ежедневно въз основа на броя на активните домейн акаунти във вашата организация.",
-    "billingRemoteExitNodesInfo": "Таксува се всеки управляван възел в организацията. Таксуването се изчислява ежедневно въз основа на броя на активните управлявани възли във вашата организация.",
+    "billingSInfo": "Колко сайта можете да използвате",
+    "billingUsersInfo": "Колко потребители можете да използвате",
+    "billingDomainInfo": "Колко домейни можете да използвате",
+    "billingRemoteExitNodesInfo": "Колко дистанционни възли можете да използвате",
+    "billingLicenseKeys": "Лицензионни ключове",
+    "billingLicenseKeysDescription": "Управлявайте вашите абонаменти за лицензионни ключове",
+    "billingLicenseSubscription": "Абонамент за лиценз",
+    "billingInactive": "Неактивен",
+    "billingLicenseItem": "Лицензионен елемент",
+    "billingQuantity": "Количество",
+    "billingTotal": "общо",
+    "billingModifyLicenses": "Промяна на абонамента за лиценз",
    "domainNotFound": "Домейнът не е намерен",
    "domainNotFoundDescription": "Този ресурс е деактивиран, защото домейнът вече не съществува в нашата система. Моля, задайте нов домейн за този ресурс.",
    "failed": "Неуспешно",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Ключът за защита е премахнат успешно",
    "securityKeyRemoveError": "Неуспешно премахване на ключ за защита",
    "securityKeyLoadError": "Неуспешно зареждане на ключове за защита",
-    "securityKeyLogin": "Продължете с ключа за сигурност",
+    "securityKeyLogin": "Използвайте ключ за защита",
    "securityKeyAuthError": "Неуспешно удостоверяване с ключ за сигурност",
    "securityKeyRecommendation": "Регистрирайте резервен ключ за безопасност на друго устройство, за да сте сигурни, че винаги ще имате достъп до профила си",
    "registering": "Регистрация...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Номерът на порта е задължителен за не-HTTP ресурси",
    "resourcePortNotAllowed": "Номерът на порта не трябва да бъде задаван за HTTP ресурси",
    "billingPricingCalculatorLink": "Калкулатор на цените",
+    "billingYourPlan": "Вашият план",
+    "billingViewOrModifyPlan": "Преглед или промяна на текущия ви план",
+    "billingViewPlanDetails": "Преглед на подробности за плана",
+    "billingUsageAndLimits": "Използване и граници",
+    "billingViewUsageAndLimits": "Преглед на ограниченията на плана и текущото използване",
+    "billingCurrentUsage": "Текущо използване",
+    "billingMaximumLimits": "Максимални граници",
+    "billingRemoteNodes": "Дистанционни възли",
+    "billingUnlimited": "Неограничено",
+    "billingPaidLicenseKeys": "Платени лицензионни ключове",
+    "billingManageLicenseSubscription": "Управлявайте абонамента си за платени самостоятелно хоствани лицензионни ключове",
+    "billingCurrentKeys": "Текущи ключове",
+    "billingModifyCurrentPlan": "Промяна на текущия план",
+    "billingConfirmUpgrade": "Потвърдете повишаването",
+    "billingConfirmDowngrade": "Потвърдете понижението",
+    "billingConfirmUpgradeDescription": "Предстои ви да повишите плана си. Прегледайте новите ограничения и цени по-долу.",
+    "billingConfirmDowngradeDescription": "Предстои ви да понижите плана си. Прегледайте новите ограничения и цени по-долу.",
+    "billingPlanIncludes": "Планът включва",
+    "billingProcessing": "Процесиране...",
+    "billingConfirmUpgradeButton": "Потвърдете повишаването",
+    "billingConfirmDowngradeButton": "Потвърдете понижението",
+    "billingLimitViolationWarning": "Използването надвишава новите планови ограничения",
+    "billingLimitViolationDescription": "Текущото ви използване надвишава ограниченията на този план. След понижаване, всички действия ще бъдат деактивирани, докато не намалите използването в рамките на новите ограничения. Моля, прегледайте по-долу функциите, които в момента са извън ограниченията. Ограничения в нарушение:",
+    "billingFeatureLossWarning": "Уведомление за наличност на функциите",
+    "billingFeatureLossDescription": "Чрез понижението на плана, функциите, недостъпни в новия план, ще бъдат автоматично деактивирани. Някои настройки и конфигурации може да бъдат загубени. Моля, прегледайте ценовата матрица, за да разберете кои функции вече няма да са на разположение.",
+    "billingUsageExceedsLimit": "Текущото използване ({current}) надвишава ограничението ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Съгласен съм с",
        "termsOfService": "условията за ползване",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Интервал за здраве",
    "timeoutSeconds": "Време за изчакване (сек)",
    "timeIsInSeconds": "Времето е в секунди",
+    "requireDeviceApproval": "Изискват одобрение на устройства",
+    "requireDeviceApprovalDescription": "Потребители с тази роля трябва да имат нови устройства одобрени от администратор преди да могат да се свържат и да имат достъп до ресурси.",
    "retryAttempts": "Опити за повторно",
    "expectedResponseCodes": "Очаквани кодове за отговор",
    "expectedResponseCodesDescription": "HTTP статус код, указващ здравословно състояние. Ако бъде оставено празно, между 200-300 се счита за здравословно.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Не са намерени вътрешни ресурси.",
    "resourcesTableDestination": "Дестинация",
    "resourcesTableAlias": "Псевдоним",
+    "resourcesTableAliasAddress": "Адрес на псевдоним.",
+    "resourcesTableAliasAddressInfo": "Този адрес е част от подсистемата на организацията. Използва се за разрешаване на псевдонимни записи чрез вътрешно DNS разрешаване.",
    "resourcesTableClients": "Клиенти",
    "resourcesTableAndOnlyAccessibleInternally": "и са достъпни само вътрешно при свързване с клиент.",
    "resourcesTableNoTargets": "Без цели",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
    "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
    "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
-    "orgAuthSignInToOrg": "Влезте в организация.",
+    "orgAuthSignInToOrg": "Влезте в организация",
    "orgAuthSelectOrgTitle": "Вход в организация.",
    "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
    "orgAuthOrgIdPlaceholder": "вашата-организация",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Назад към стандартния вход.",
    "orgAuthNoAccount": "Нямате профил?",
    "subscriptionRequiredToUse": "Необходим е абонамент, за да използвате тази функция.",
+    "mustUpgradeToUse": "Трябва да повишите своя абонамент, за да използвате тази функция.",
+    "subscriptionRequiredTierToUse": "Тази функция изисква <tierLink>{tier}</tierLink> или по-висок план.",
+    "upgradeToTierToUse": "Повишете до <tierLink>{tier}</tierLink> или по-висок план, за да използвате тази функция.",
+    "subscriptionTierTier1": "Домашен",
+    "subscriptionTierTier2": "Екип",
+    "subscriptionTierTier3": "Бизнес",
+    "subscriptionTierEnterprise": "Предприятие",
    "idpDisabled": "Доставчиците на идентичност са деактивирани.",
    "orgAuthPageDisabled": "Страницата за удостоверяване на организацията е деактивирана.",
    "domainRestartedDescription": "Проверка на домейна е рестартирана успешно",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Получаване на лиценз",
+        "description": "Изберете план и ни кажете как планирате да използвате Pangolin.",
+        "chooseTier": "Изберете вашия план",
+        "viewPricingLink": "Вижте цените, функциите и ограниченията",
+        "tiers": {
+            "starter": {
+                "title": "Стартов",
+                "description": "Предприятие, 25 потребители, 25 сайта и общностна поддръжка."
+            },
+            "scale": {
+                "title": "Скала",
+                "description": "Предприятие, 50 потребители, 50 сайта и приоритетна поддръжка."
+            }
+        },
+        "personalUseOnly": "Само за лична употреба (безплатен лиценз — без плащане)",
+        "buttons": {
+            "continueToCheckout": "Продължете към плащане"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Грешка при плащането",
+                "description": "Не можа да се започне плащането. Моля, опитайте отново."
+            }
+        }
+    },
    "priority": "Приоритет",
    "priorityDescription": "По-високите приоритетни маршрути се оценяват първи. Приоритет = 100 означава автоматично подреждане (системата решава). Използвайте друго число, за да наложите ръчен приоритет.",
    "instanceName": "Име на инстанция",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
    "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
    "licenseRequiredToUse": "Необходим е лиценз Enterprise, за да се използва тази функция.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> се изисква за използване на тази функция.",
    "certResolver": "Решавач на сертификати",
    "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
    "selectCertResolver": "Изберете решавач на сертификати",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Кодът трябва да бъде 9 символа (напр. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Невалиден или изтекъл код",
    "deviceCodeVerifyFailed": "Неуспешна проверка на кода на устройството",
+    "deviceCodeValidating": "Валидиране на кода на устройството...",
+    "deviceCodeVerifying": "Проверка на оторизацията на устройството...",
    "signedInAs": "Вписан като",
    "deviceCodeEnterPrompt": "Въведете кода, показан на устройството",
    "continue": "Продължете",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Достъп до всички организации, до които има достъп акаунтът ви",
    "deviceAuthorize": "Разрешете {applicationName}",
    "deviceConnected": "Устройството е свързано!",
-    "deviceAuthorizedMessage": "Устройството е разрешено да има достъп до вашия акаунт.",
+    "deviceAuthorizedMessage": "Устройството е оторизирано да има достъп до акаунта ви. Моля, върнете се към клиентското приложение.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Преглед на устройствата",
    "viewDevicesDescription": "Управлявайте свързаните си устройства",
@@ -2306,6 +2418,7 @@
    "identifier": "Идентификатор",
    "deviceLoginUseDifferentAccount": "Не сте вие? Използвайте друг акаунт.",
    "deviceLoginDeviceRequestingAccessToAccount": "Устройство запитващо достъп до този акаунт.",
+    "loginSelectAuthenticationMethod": "Изберете метод на удостоверяване, за да продължите.",
    "noData": "Няма Данни",
    "machineClients": "Машинни клиенти",
    "install": "Инсталирай",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Услугата временно недостъпна.",
    "maintenanceScreenMessage": "В момента срещаме технически затруднения. Моля, проверете отново скоро.",
    "maintenanceScreenEstimatedCompletion": "Прогнозно завършване:",
-    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна."
+    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна.",
+    "available": "Налично",
+    "archived": "Архивирано",
+    "noArchivedDevices": "Не са намерени архивирани устройства.",
+    "deviceArchived": "Устройството е архивирано.",
+    "deviceArchivedDescription": "Устройството беше успешно архивирано.",
+    "errorArchivingDevice": "Грешка при архивиране на устройството.",
+    "failedToArchiveDevice": "Неуспех при архивиране на устройството.",
+    "deviceQuestionArchive": "Сигурни ли сте, че искате да архивирате това устройство?",
+    "deviceMessageArchive": "Устройството ще бъде архивирано и премахнато от вашия списък с активни устройства.",
+    "deviceArchiveConfirm": "Архивиране на устройството",
+    "archiveDevice": "Архивиране на устройство",
+    "archive": "Архив",
+    "deviceUnarchived": "Устройството е разархивирано.",
+    "deviceUnarchivedDescription": "Устройството беше успешно разархивирано.",
+    "errorUnarchivingDevice": "Грешка при разархивиране на устройството.",
+    "failedToUnarchiveDevice": "Неуспешно разархивиране на устройството.",
+    "unarchive": "Разархивиране",
+    "archiveClient": "Архивиране на клиента",
+    "archiveClientQuestion": "Сигурни ли сте, че искате да архивирате този клиент?",
+    "archiveClientMessage": "Клиентът ще бъде архивиран и премахнат от вашия списък с активни клиенти.",
+    "archiveClientConfirm": "Архивиране на клиента",
+    "blockClient": "Блокиране на клиента",
+    "blockClientQuestion": "Сигурни ли сте, че искате да блокирате този клиент?",
+    "blockClientMessage": "Устройството ще бъде принудено да прекъсне, ако е в момента свързано. Можете да го отблокирате по-късно.",
+    "blockClientConfirm": "Блокиране на клиента",
+    "active": "Активно",
+    "usernameOrEmail": "Потребителско име или имейл",
+    "selectYourOrganization": "Изберете вашата организация",
+    "signInTo": "Влезте в",
+    "signInWithPassword": "Продължете с парола",
+    "noAuthMethodsAvailable": "Няма налични методи за удостоверяване за тази организация.",
+    "enterPassword": "Въведете вашата парола",
+    "enterMfaCode": "Въведете кода от вашето приложение за удостоверяване",
+    "securityKeyRequired": "Моля, използвайте ключа за сигурност, за да влезете.",
+    "needToUseAnotherAccount": "Трябва ли да използвате различен акаунт?",
+    "loginLegalDisclaimer": "С натискането на бутоните по-долу, потвърждавате, че сте прочели, разбирате и се съгласявате с <termsOfService>Условията за ползване</termsOfService> и <privacyPolicy>Политиката за поверителност</privacyPolicy>.",
+    "termsOfService": "Условия за ползване",
+    "privacyPolicy": "Политика за поверителност",
+    "userNotFoundWithUsername": "Не е намерен потребител с това потребителско име.",
+    "verify": "Потвърждение",
+    "signIn": "Вход",
+    "forgotPassword": "Забравена парола?",
+    "orgSignInTip": "Ако сте влизали преди, можете да въведете вашето потребителско име или имейл по-горе, за да се удостовери с идентификатора на вашата организация. Лесно е!",
+    "continueAnyway": "Продължете въпреки това",
+    "dontShowAgain": "Не показвайте повече",
+    "orgSignInNotice": "Знаете ли?",
+    "signupOrgNotice": "Опитвате се да влезете?",
+    "signupOrgTip": "Опитвате ли се да влезете чрез идентификационния доставчик на вашата организация?",
+    "signupOrgLink": "Влезте или се регистрирайте с вашата организация вместо това.",
+    "verifyEmailLogInWithDifferentAccount": "Използвайте различен акаунт",
+    "logIn": "Вход",
+    "deviceInformation": "Информация за устройството",
+    "deviceInformationDescription": "Информация за устройството и агента",
+    "deviceSecurity": "Защита на устройството.",
+    "deviceSecurityDescription": "Информация за състоянието на защитата на устройството.",
+    "platform": "Платформа",
+    "macosVersion": "Версия на macOS",
+    "windowsVersion": "Версия на Windows",
+    "iosVersion": "Версия на iOS",
+    "androidVersion": "Версия на Android",
+    "osVersion": "Версия на ОС",
+    "kernelVersion": "Версия на ядрото",
+    "deviceModel": "Модел на устройството",
+    "serialNumber": "Сериен номер",
+    "hostname": "Име на хост",
+    "firstSeen": "Видян за първи път",
+    "lastSeen": "Последно видян",
+    "biometricsEnabled": "Активирани биометрични данни.",
+    "diskEncrypted": "Криптиран диск.",
+    "firewallEnabled": "Активирана защитна стена.",
+    "autoUpdatesEnabled": "Активирани автоматични актуализации.",
+    "tpmAvailable": "TPM е на разположение.",
+    "windowsAntivirusEnabled": "Активирана антивирусна програма",
+    "macosSipEnabled": "Protection на системната цялост (SIP).",
+    "macosGatekeeperEnabled": "Gatekeeper.",
+    "macosFirewallStealthMode": "Скрит режим на защитната стена.",
+    "linuxAppArmorEnabled": "AppArmor.",
+    "linuxSELinuxEnabled": "SELinux.",
+    "deviceSettingsDescription": "Разгледайте информация и настройки на устройството",
+    "devicePendingApprovalDescription": "Това устройство чака одобрение",
+    "deviceBlockedDescription": "Това устройство е в момента блокирано. Няма да може да се свърже с никакви ресурси, освен ако не бъде деблокирано.",
+    "unblockClient": "Деблокирайте клиента",
+    "unblockClientDescription": "Устройството е деблокирано",
+    "unarchiveClient": "Разархивиране на клиента",
+    "unarchiveClientDescription": "Устройството е разархивирано",
+    "block": "Блокирането",
+    "unblock": "Деблокиране",
+    "deviceActions": "Действия с устройствата",
+    "deviceActionsDescription": "Управлявайте състоянието и достъпа на устройството",
+    "devicePendingApprovalBannerDescription": "Това устройство чака одобрение. Няма да може да се свърже с ресурси, докато не бъде одобрено.",
+    "connected": "Свързан",
+    "disconnected": "Прекъснат",
+    "approvalsEmptyStateTitle": "Одобрения на устройство не са активирани",
+    "approvalsEmptyStateDescription": "Активирайте одобрения на устройства за роли, така че да изискват администраторско одобрение, преди потребителите да могат да свързват нови устройства.",
+    "approvalsEmptyStateStep1Title": "Отидете на роли",
+    "approvalsEmptyStateStep1Description": "Навигирайте до настройките на ролите на вашата организация, за да конфигурирате одобренията на устройства.",
+    "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
+    "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
+    "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
+    "approvalsEmptyStateButtonText": "Управлявайте роли"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -18,6 +18,8 @@
    "componentsMember": "Jste členem {count, plural, =0 {0 organizací} one {1 organizace} other {# organizací}}.",
    "componentsInvalidKey": "Byly nalezeny neplatné nebo propadlé licenční klíče. Pokud chcete nadále používat všechny funkce, postupujte podle licenčních podmínek.",
    "dismiss": "Zavřít",
+    "subscriptionViolationMessage": "Jste za hranicemi vašeho aktuálního plánu. Opravte problém odstraněním webů, uživatelů nebo jiných zdrojů, abyste zůstali ve vašem tarifu.",
+    "subscriptionViolationViewBilling": "Zobrazit fakturaci",
    "componentsLicenseViolation": "Porušení licenčních podmínek: Tento server používá {usedSites} stránek, což překračuje limit {maxSites} licencovaných stránek. Pokud chcete nadále používat všechny funkce, postupujte podle licenčních podmínek.",
    "componentsSupporterMessage": "Děkujeme, že podporujete Pangolin jako {tier}!",
    "inviteErrorNotValid": "Je nám líto, ale vypadá to, že pozvánka, ke které se snažíte získat přístup, nebyla přijata nebo již není platná.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Připojit jakoukoli síť",
    "sitesBannerDescription": "Lokalita je připojení k vzdálené síti, která umožňuje Pangolinu poskytovat přístup k prostředkům, ať už veřejným nebo soukromým, uživatelům kdekoli. Nainstalujte síťový konektor (Newt) kamkoli, kam můžete spustit binární soubor nebo kontejner, aby bylo možné připojení navázat.",
    "sitesBannerButtonText": "Nainstalovat lokalitu",
+    "approvalsBannerTitle": "Schválit nebo zakázat přístup k zařízení",
+    "approvalsBannerDescription": "Zkontrolovat a schválit nebo zakázat žádosti uživatelů o přístup k zařízení. Pokud jsou vyžadována schválení zařízení, musí být uživatelé oprávněni před tím, než se jejich zařízení mohou připojit k zdrojům vaší organizace.",
+    "approvalsBannerButtonText": "Zjistit více",
    "siteCreate": "Vytvořit lokalitu",
    "siteCreateDescription2": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili novou lokalitu",
    "siteCreateDescription": "Vytvořit nový web pro zahájení připojování zdrojů",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Hledat role...",
    "accessRolesAdd": "Přidat roli",
    "accessRoleDelete": "Odstranit roli",
+    "accessApprovalsManage": "Spravovat schválení",
+    "accessApprovalsDescription": "Zobrazit a spravovat čekající oprávnění pro přístup k této organizaci",
    "description": "L 343, 22.12.2009, s. 1).",
    "inviteTitle": "Otevřít pozvánky",
    "inviteDescription": "Spravovat pozvánky pro ostatní uživatele do organizace",
@@ -450,6 +457,18 @@
    "selectDuration": "Vyberte dobu trvání",
    "selectResource": "Vybrat dokument",
    "filterByResource": "Filtrovat podle zdroje",
+    "selectApprovalState": "Vyberte stát schválení",
+    "filterByApprovalState": "Filtrovat podle státu schválení",
+    "approvalListEmpty": "Žádná schválení",
+    "approvalState": "Země schválení",
+    "approve": "Schválit",
+    "approved": "Schváleno",
+    "denied": "Zamítnuto",
+    "deniedApproval": "Odmítnuto schválení",
+    "all": "Vše",
+    "deny": "Zamítnout",
+    "viewDetails": "Zobrazit detaily",
+    "requestingNewDeviceApproval": "vyžádal si nové zařízení",
    "resetFilters": "Resetovat filtry",
    "totalBlocked": "Požadavky blokovány Pangolinem",
    "totalRequests": "Celkem požadavků",
@@ -729,16 +748,28 @@
    "countries": "Země",
    "accessRoleCreate": "Vytvořit roli",
    "accessRoleCreateDescription": "Vytvořte novou roli pro seskupení uživatelů a spravujte jejich oprávnění.",
+    "accessRoleEdit": "Upravit roli",
+    "accessRoleEditDescription": "Upravit informace o roli.",
    "accessRoleCreateSubmit": "Vytvořit roli",
    "accessRoleCreated": "Role vytvořena",
    "accessRoleCreatedDescription": "Role byla úspěšně vytvořena.",
    "accessRoleErrorCreate": "Nepodařilo se vytvořit roli",
    "accessRoleErrorCreateDescription": "Došlo k chybě při vytváření role.",
+    "accessRoleUpdateSubmit": "Aktualizovat roli",
+    "accessRoleUpdated": "Role aktualizována",
+    "accessRoleUpdatedDescription": "Role byla úspěšně aktualizována.",
+    "accessApprovalUpdated": "Zpracovaná schválení",
+    "accessApprovalApprovedDescription": "Nastavit rozhodnutí o schválení žádosti o schválení.",
+    "accessApprovalDeniedDescription": "Nastavit žádost o schválení rozhodnutí o zamítnutí.",
+    "accessRoleErrorUpdate": "Nepodařilo se aktualizovat roli",
+    "accessRoleErrorUpdateDescription": "Došlo k chybě při aktualizaci role.",
+    "accessApprovalErrorUpdate": "Zpracování schválení se nezdařilo",
+    "accessApprovalErrorUpdateDescription": "Při zpracování schválení došlo k chybě.",
    "accessRoleErrorNewRequired": "Je vyžadována nová role",
    "accessRoleErrorRemove": "Nepodařilo se odstranit roli",
    "accessRoleErrorRemoveDescription": "Došlo k chybě při odstraňování role.",
    "accessRoleName": "Název role",
-    "accessRoleQuestionRemove": "Chystáte se odstranit {name} roli. Tuto akci nelze vrátit zpět.",
+    "accessRoleQuestionRemove": "Chystáte se odstranit roli `{name}`. Tuto akci nelze vrátit zpět.",
    "accessRoleRemove": "Odstranit roli",
    "accessRoleRemoveDescription": "Odebrat roli z organizace",
    "accessRoleRemoveSubmit": "Odstranit roli",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Obraťte se na správce",
    "passwordResetSmtpRequiredDescription": "Pro obnovení hesla je vyžadován kód pro obnovení hesla. Kontaktujte prosím svého administrátora.",
    "passwordBack": "Zpět na heslo",
-    "loginBack": "Přejít zpět na přihlášení",
+    "loginBack": "Přejít zpět na hlavní přihlašovací stránku",
    "signup": "Zaregistrovat se",
    "loginStart": "Přihlaste se a začněte",
    "idpOidcTokenValidating": "Ověřování OIDC tokenu",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Aktualizovat IDP Org",
    "actionCreateClient": "Vytvořit klienta",
    "actionDeleteClient": "Odstranit klienta",
+    "actionArchiveClient": "Archivovat klienta",
+    "actionUnarchiveClient": "Zrušit archiv klienta",
+    "actionBlockClient": "Blokovat klienta",
+    "actionUnblockClient": "Odblokovat klienta",
    "actionUpdateClient": "Aktualizovat klienta",
    "actionListClients": "Seznam klientů",
    "actionGetClient": "Získat klienta",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Hledat...",
    "create": "Vytvořit",
    "orgs": "Organizace",
-    "loginError": "Při přihlášení došlo k chybě",
-    "loginRequiredForDevice": "Pro ověření vašeho zařízení je nutné se přihlásit.",
+    "loginError": "Došlo k neočekávané chybě. Zkuste to prosím znovu.",
+    "loginRequiredForDevice": "Přihlášení je vyžadováno pro vaše zařízení.",
    "passwordForgot": "Zapomněli jste heslo?",
    "otpAuth": "Dvoufaktorové ověření",
    "otpAuthDescription": "Zadejte kód z vaší autentizační aplikace nebo jeden z vlastních záložních kódů.",
    "otpAuthSubmit": "Odeslat kód",
    "idpContinue": "Nebo pokračovat s",
-    "otpAuthBack": "Zpět na přihlášení",
+    "otpAuthBack": "Zpět na heslo",
    "navbar": "Navigation Menu",
    "navbarDescription": "Hlavní navigační menu aplikace",
    "navbarDocsLink": "Dokumentace",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Přehled",
    "sidebarHome": "Domů",
    "sidebarSites": "Stránky",
+    "sidebarApprovals": "Žádosti o schválení",
    "sidebarResources": "Zdroje",
    "sidebarProxyResources": "Veřejnost",
    "sidebarClientResources": "Soukromé",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Poskytovatelé identity",
    "sidebarLicense": "Licence",
    "sidebarClients": "Klienti",
-    "sidebarUserDevices": "Uživatelé",
+    "sidebarUserDevices": "Uživatelská zařízení",
    "sidebarMachineClients": "Stroje a přístroje",
    "sidebarDomains": "Domény",
    "sidebarGeneral": "Spravovat",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Došlo k chybě při vytváření účtu správce serveru.",
    "certificateStatus": "Stav certifikátu",
    "loading": "Načítání",
+    "loadingAnalytics": "Načítání analytiky",
    "restart": "Restartovat",
    "domains": "Domény",
    "domainsDescription": "Vytvořit a spravovat domény dostupné v organizaci",
@@ -1304,6 +1341,7 @@
    "refreshError": "Obnovení dat se nezdařilo",
    "verified": "Ověřeno",
    "pending": "Nevyřízeno",
+    "pendingApproval": "Čeká na schválení",
    "sidebarBilling": "Fakturace",
    "billing": "Fakturace",
    "orgBillingDescription": "Spravovat fakturační informace a předplatné",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Přehled omezení použití",
    "billingMonitorUsage": "Sledujte vaše využití pomocí nastavených limitů. Pokud potřebujete zvýšit limity, kontaktujte nás prosím support@pangolin.net.",
    "billingDataUsage": "Využití dat",
-    "billingOnlineTime": "Stránka online čas",
-    "billingUsers": "Aktivní uživatelé",
-    "billingDomains": "Aktivní domény",
-    "billingRemoteExitNodes": "Aktivní Samostatně hostované uzly",
+    "billingSites": "Stránky",
+    "billingUsers": "Uživatelé",
+    "billingDomains": "Domény",
+    "billingRemoteExitNodes": "Vzdálené uzly",
    "billingNoLimitConfigured": "Žádný limit nenastaven",
    "billingEstimatedPeriod": "Odhadované období fakturace",
    "billingIncludedUsage": "Zahrnuto využití",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Nepodařilo se získat URL portálu",
    "billingPortalError": "Chyba portálu",
    "billingDataUsageInfo": "Pokud jste připojeni k cloudu, jsou vám účtována všechna data přenášená prostřednictvím zabezpečených tunelů. To zahrnuje příchozí i odchozí provoz na všech vašich stránkách. Jakmile dosáhnete svého limitu, vaše stránky se odpojí, dokud neaktualizujete svůj tarif nebo nezmenšíte jeho používání. Data nejsou nabírána při používání uzlů.",
-    "billingOnlineTimeInfo": "Platíte na základě toho, jak dlouho budou vaše stránky připojeny k cloudu. Například, 44,640 minut se rovná jedné stránce 24/7 po celý měsíc. Jakmile dosáhnete svého limitu, vaše stránky se odpojí, dokud neaktualizujete svůj tarif nebo nezkrátíte jeho používání. Čas není vybírán při používání uzlů.",
-    "billingUsersInfo": "Každý uživatel v organizaci je účtován denně. Fakturace je počítána na základě počtu aktivních uživatelských účtů na Vašem org.",
-    "billingDomainInfo": "Objednávka je účtována za každou doménu v organizaci. Fakturace je počítána denně na základě počtu aktivních doménových účtů na Vašem org.",
-    "billingRemoteExitNodesInfo": "Za každý spravovaný uzel v organizaci se vám účtuje denně. Fakturace je vypočítávána na základě počtu aktivních spravovaných uzlů ve vašem org.",
+    "billingSInfo": "Kolik stránek můžete použít",
+    "billingUsersInfo": "Kolik uživatelů můžete použít",
+    "billingDomainInfo": "Kolik domén můžete použít",
+    "billingRemoteExitNodesInfo": "Kolik vzdálených uzlů můžete použít",
+    "billingLicenseKeys": "Licenční klíče",
+    "billingLicenseKeysDescription": "Spravovat předplatné licenčního klíče",
+    "billingLicenseSubscription": "Předplatné licence",
+    "billingInactive": "Neaktivní",
+    "billingLicenseItem": "Položka licence",
+    "billingQuantity": "Množství",
+    "billingTotal": "celkem",
+    "billingModifyLicenses": "Upravit předplatné licence",
    "domainNotFound": "Doména nenalezena",
    "domainNotFoundDescription": "Tento dokument je zakázán, protože doména již neexistuje náš systém. Nastavte prosím novou doménu pro tento dokument.",
    "failed": "Selhalo",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Bezpečnostní klíč byl úspěšně odstraněn",
    "securityKeyRemoveError": "Odstranění bezpečnostního klíče se nezdařilo",
    "securityKeyLoadError": "Nepodařilo se načíst bezpečnostní klíče",
-    "securityKeyLogin": "Pokračovat s bezpečnostním klíčem",
+    "securityKeyLogin": "Použít bezpečnostní klíč",
    "securityKeyAuthError": "Ověření bezpečnostním klíčem se nezdařilo",
    "securityKeyRecommendation": "Registrujte záložní bezpečnostní klíč na jiném zařízení, abyste zajistili, že budete mít vždy přístup ke svému účtu.",
    "registering": "Registrace...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Pro neHTTP zdroje je vyžadováno číslo portu",
    "resourcePortNotAllowed": "Číslo portu by nemělo být nastaveno pro HTTP zdroje",
    "billingPricingCalculatorLink": "Cenová kalkulačka",
+    "billingYourPlan": "Váš plán",
+    "billingViewOrModifyPlan": "Zobrazit nebo upravit aktuální tarif",
+    "billingViewPlanDetails": "Zobrazit detaily plánu",
+    "billingUsageAndLimits": "Limity a použití",
+    "billingViewUsageAndLimits": "Zobrazit limity vašeho plánu a aktuální využití",
+    "billingCurrentUsage": "Aktuální využití",
+    "billingMaximumLimits": "Maximální limity",
+    "billingRemoteNodes": "Vzdálené uzly",
+    "billingUnlimited": "Bez omezení",
+    "billingPaidLicenseKeys": "Placené licenční klíče",
+    "billingManageLicenseSubscription": "Spravujte své předplatné za placené samohostované licenční klíče",
+    "billingCurrentKeys": "Aktuální klíče",
+    "billingModifyCurrentPlan": "Upravit aktuální tarif",
+    "billingConfirmUpgrade": "Potvrdit aktualizaci",
+    "billingConfirmDowngrade": "Potvrdit downgrade",
+    "billingConfirmUpgradeDescription": "Chystáte se povýšit svůj tarif. Přečtěte si nové limity a ceny.",
+    "billingConfirmDowngradeDescription": "Chystáte se snížit svůj tarif. Přečtěte si nové limity a ceny níže.",
+    "billingPlanIncludes": "Plán zahrnuje",
+    "billingProcessing": "Zpracovávám...",
+    "billingConfirmUpgradeButton": "Potvrdit aktualizaci",
+    "billingConfirmDowngradeButton": "Potvrdit downgrade",
+    "billingLimitViolationWarning": "Využití překročilo limity nového plánu",
+    "billingLimitViolationDescription": "Vaše současné využití překračuje meze tohoto plánu. Po ponížení budou všechny akce zakázány, dokud nesnížíte využití v rámci nových limitů. Přečtěte si prosím níže uvedené funkce překračující limity. Limity při porušení:",
+    "billingFeatureLossWarning": "Upozornění na dostupnost funkce",
+    "billingFeatureLossDescription": "Po pomenutí budou funkce v novém plánu automaticky zakázány. Některá nastavení a konfigurace mohou být ztraceny. Zkontrolujte cenovou matrici, abyste pochopili, které funkce již nebudou k dispozici.",
+    "billingUsageExceedsLimit": "Aktuální využití ({current}) překračuje limit ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Souhlasím s",
        "termsOfService": "podmínky služby",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Interval zdraví",
    "timeoutSeconds": "Časový limit (sek)",
    "timeIsInSeconds": "Čas je v sekundách",
+    "requireDeviceApproval": "Vyžadovat schválení zařízení",
+    "requireDeviceApprovalDescription": "Uživatelé s touto rolí potřebují nová zařízení schválená správcem, než se mohou připojit a přistupovat ke zdrojům.",
    "retryAttempts": "Opakovat pokusy",
    "expectedResponseCodes": "Očekávané kódy odezvy",
    "expectedResponseCodesDescription": "HTTP kód stavu, který označuje zdravý stav. Ponecháte-li prázdné, 200-300 je považováno za zdravé.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Nebyly nalezeny žádné vnitřní zdroje.",
    "resourcesTableDestination": "Místo určení",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adresa aliasu",
+    "resourcesTableAliasAddressInfo": "Tato adresa je součástí subsítě veřejných služeb organizace. Používá se k řešení záznamů aliasů pomocí interního rozlišení DNS.",
    "resourcesTableClients": "Klienti",
    "resourcesTableAndOnlyAccessibleInternally": "a jsou interně přístupné pouze v případě, že jsou propojeni s klientem.",
    "resourcesTableNoTargets": "Žádné cíle",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
    "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
    "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
-    "orgAuthSignInToOrg": "Přihlaste se do organizace",
+    "orgAuthSignInToOrg": "Přihlásit se do organizace",
    "orgAuthSelectOrgTitle": "Přihlášení do organizace",
    "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
    "orgAuthOrgIdPlaceholder": "vaše-organizace",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Zpět ke standardnímu přihlášení",
    "orgAuthNoAccount": "Nemáte účet?",
    "subscriptionRequiredToUse": "Pro použití této funkce je vyžadováno předplatné.",
+    "mustUpgradeToUse": "Pro použití této funkce musíte aktualizovat své předplatné.",
+    "subscriptionRequiredTierToUse": "Tato funkce vyžaduje <tierLink>{tier}</tierLink> nebo vyšší.",
+    "upgradeToTierToUse": "Pro použití této funkce upgradujte na <tierLink>{tier}</tierLink> nebo vyšší.",
+    "subscriptionTierTier1": "Domů",
+    "subscriptionTierTier2": "Tým",
+    "subscriptionTierTier3": "Podniky",
+    "subscriptionTierEnterprise": "Podniky",
    "idpDisabled": "Poskytovatelé identit jsou zakázáni.",
    "orgAuthPageDisabled": "Ověřovací stránka organizace je zakázána.",
    "domainRestartedDescription": "Ověření domény bylo úspěšně restartováno",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Získat licenci",
+        "description": "Vyberte si plán a řekněte nám, jak plánujete používat Pangolin.",
+        "chooseTier": "Vyberte si svůj plán",
+        "viewPricingLink": "Zobrazit ceny, funkce a limity",
+        "tiers": {
+            "starter": {
+                "title": "Počáteční",
+                "description": "Firemní funkce, 25 uživatelů, 25 stránek a komunitní podpory."
+            },
+            "scale": {
+                "title": "Měřítko",
+                "description": "Podnikové funkce, 50 uživatelů, 50 míst a prioritní podpory."
+            }
+        },
+        "personalUseOnly": "Pouze osobní použití (bezplatná licence – bez platby)",
+        "buttons": {
+            "continueToCheckout": "Pokračovat do pokladny"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Chyba při objednávce",
+                "description": "Nelze spustit objednávku. Zkuste to prosím znovu."
+            }
+        }
+    },
    "priority": "Priorita",
    "priorityDescription": "Vyšší priorita je vyhodnocena jako první. Priorita = 100 znamená automatické řazení (rozhodnutí systému). Pro vynucení manuální priority použijte jiné číslo.",
    "instanceName": "Název instance",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
    "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence pro podnikání.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce.",
    "certResolver": "Oddělovač certifikátů",
    "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
    "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Kód musí být 9 znaků (např. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Neplatný nebo prošlý kód",
    "deviceCodeVerifyFailed": "Ověření kódu zařízení se nezdařilo",
+    "deviceCodeValidating": "Ověřování kódu zařízení...",
+    "deviceCodeVerifying": "Ověřování autorizace zařízení...",
    "signedInAs": "Přihlášen jako",
    "deviceCodeEnterPrompt": "Zadejte kód zobrazený na zařízení",
    "continue": "Pokračovat",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Přístup ke všem organizacím má přístup k vašemu účtu",
    "deviceAuthorize": "Autorizovat {applicationName}",
    "deviceConnected": "Zařízení připojeno!",
-    "deviceAuthorizedMessage": "Zařízení má oprávnění k přístupu k vašemu účtu.",
+    "deviceAuthorizedMessage": "Zařízení má oprávnění k přístupu k vašemu účtu. Vraťte se prosím do klientské aplikace.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Zobrazit zařízení",
    "viewDevicesDescription": "Spravovat připojená zařízení",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Nejste vy? Použijte jiný účet.",
    "deviceLoginDeviceRequestingAccessToAccount": "Zařízení žádá o přístup k tomuto účtu.",
+    "loginSelectAuthenticationMethod": "Chcete-li pokračovat, vyberte metodu ověřování.",
    "noData": "Žádná data",
    "machineClients": "Strojoví klienti",
    "install": "Instalovat",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Služba dočasně nedostupná",
    "maintenanceScreenMessage": "Momentálně máme technické potíže. Zkontrolujte později.",
    "maintenanceScreenEstimatedCompletion": "Odhadované dokončení:",
-    "createInternalResourceDialogDestinationRequired": "Cíl je povinný"
+    "createInternalResourceDialogDestinationRequired": "Cíl je povinný",
+    "available": "Dostupné",
+    "archived": "Archivováno",
+    "noArchivedDevices": "Nebyla nalezena žádná archivovaná zařízení",
+    "deviceArchived": "Zařízení archivováno",
+    "deviceArchivedDescription": "Zařízení bylo úspěšně archivováno.",
+    "errorArchivingDevice": "Chyba při archivaci zařízení",
+    "failedToArchiveDevice": "Archivace zařízení se nezdařila",
+    "deviceQuestionArchive": "Opravdu chcete archivovat toto zařízení?",
+    "deviceMessageArchive": "Zařízení bude archivováno a odebráno ze seznamu aktivních zařízení.",
+    "deviceArchiveConfirm": "Archivovat zařízení",
+    "archiveDevice": "Archivovat zařízení",
+    "archive": "Archiv",
+    "deviceUnarchived": "Zařízení bylo odarchivováno",
+    "deviceUnarchivedDescription": "Zařízení bylo úspěšně odarchivováno.",
+    "errorUnarchivingDevice": "Chyba při odarchivování zařízení",
+    "failedToUnarchiveDevice": "Nepodařilo se odarchivovat zařízení",
+    "unarchive": "Zrušit archiv",
+    "archiveClient": "Archivovat klienta",
+    "archiveClientQuestion": "Jste si jisti, že chcete archivovat tohoto klienta?",
+    "archiveClientMessage": "Klient bude archivován a odstraněn z vašeho aktivního seznamu klientů.",
+    "archiveClientConfirm": "Archivovat klienta",
+    "blockClient": "Blokovat klienta",
+    "blockClientQuestion": "Jste si jisti, že chcete zablokovat tohoto klienta?",
+    "blockClientMessage": "Zařízení bude nuceno odpojit, pokud je připojeno. Zařízení můžete později odblokovat.",
+    "blockClientConfirm": "Blokovat klienta",
+    "active": "Aktivní",
+    "usernameOrEmail": "Uživatelské jméno nebo e-mail",
+    "selectYourOrganization": "Vyberte vaši organizaci",
+    "signInTo": "Přihlásit se do",
+    "signInWithPassword": "Pokračovat s heslem",
+    "noAuthMethodsAvailable": "Pro tuto organizaci nejsou k dispozici žádné metody ověřování.",
+    "enterPassword": "Zadejte své heslo",
+    "enterMfaCode": "Zadejte kód z vaší ověřovací aplikace",
+    "securityKeyRequired": "Pro přihlášení použijte svůj bezpečnostní klíč.",
+    "needToUseAnotherAccount": "Potřebujete použít jiný účet?",
+    "loginLegalDisclaimer": "Kliknutím na tlačítka níže potvrzujete, že jste si přečetli, chápali, a souhlasím s <termsOfService>obchodními podmínkami</termsOfService> a <privacyPolicy>Zásadami ochrany osobních údajů</privacyPolicy>.",
+    "termsOfService": "Podmínky služby",
+    "privacyPolicy": "Ochrana osobních údajů",
+    "userNotFoundWithUsername": "Nebyl nalezen žádný uživatel s tímto uživatelským jménem.",
+    "verify": "Ověřit",
+    "signIn": "Přihlásit se",
+    "forgotPassword": "Zapomněli jste heslo?",
+    "orgSignInTip": "Pokud jste se přihlásili dříve, můžete místo toho zadat své uživatelské jméno nebo e-mail výše pro ověření u poskytovatele identity vaší organizace. Je to jednodušší!",
+    "continueAnyway": "Přesto pokračovat",
+    "dontShowAgain": "Znovu nezobrazovat",
+    "orgSignInNotice": "Věděli jste, že?",
+    "signupOrgNotice": "Chcete se přihlásit?",
+    "signupOrgTip": "Snažíte se přihlásit prostřednictvím poskytovatele identity vaší organizace?",
+    "signupOrgLink": "Namísto toho se přihlaste nebo se zaregistrujte pomocí své organizace",
+    "verifyEmailLogInWithDifferentAccount": "Použít jiný účet",
+    "logIn": "Přihlásit se",
+    "deviceInformation": "Informace o zařízení",
+    "deviceInformationDescription": "Informace o zařízení a agentovi",
+    "deviceSecurity": "Zabezpečení zařízení",
+    "deviceSecurityDescription": "Informace o bezpečnostní pozici zařízení",
+    "platform": "Platforma",
+    "macosVersion": "macOS verze",
+    "windowsVersion": "Verze Windows",
+    "iosVersion": "Verze iOS",
+    "androidVersion": "Verze Androidu",
+    "osVersion": "Verze OS",
+    "kernelVersion": "Verze jádra",
+    "deviceModel": "Model zařízení",
+    "serialNumber": "Pořadové číslo",
+    "hostname": "Hostname",
+    "firstSeen": "První vidění",
+    "lastSeen": "Naposledy viděno",
+    "biometricsEnabled": "Biometrie povolena",
+    "diskEncrypted": "Šifrovaný disk",
+    "firewallEnabled": "Firewall povolen",
+    "autoUpdatesEnabled": "Automatické aktualizace povoleny",
+    "tpmAvailable": "TPM k dispozici",
+    "windowsAntivirusEnabled": "Antivirus povolen",
+    "macosSipEnabled": "Ochrana systémové integrity (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Režim neviditelnosti firewallu",
+    "linuxAppArmorEnabled": "Pancíř aplikace",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Zobrazit informace o zařízení a nastavení",
+    "devicePendingApprovalDescription": "Toto zařízení čeká na schválení",
+    "deviceBlockedDescription": "Toto zařízení je momentálně blokováno. Nebude se moci připojit k žádným zdrojům, dokud nebude odblokováno.",
+    "unblockClient": "Odblokovat klienta",
+    "unblockClientDescription": "Zařízení bylo odblokováno",
+    "unarchiveClient": "Zrušit archiv klienta",
+    "unarchiveClientDescription": "Zařízení bylo odarchivováno",
+    "block": "Blokovat",
+    "unblock": "Odblokovat",
+    "deviceActions": "Akce zařízení",
+    "deviceActionsDescription": "Spravovat stav zařízení a přístup",
+    "devicePendingApprovalBannerDescription": "Toto zařízení čeká na schválení. Nebude se moci připojit ke zdrojům, dokud nebude schváleno.",
+    "connected": "Připojeno",
+    "disconnected": "Odpojeno",
+    "approvalsEmptyStateTitle": "Schvalování zařízení není povoleno",
+    "approvalsEmptyStateDescription": "Povolte oprávnění oprávnění pro role správce před připojením nových zařízení.",
+    "approvalsEmptyStateStep1Title": "Přejít na role",
+    "approvalsEmptyStateStep1Description": "Přejděte do nastavení rolí vaší organizace pro konfiguraci schválení zařízení.",
+    "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
+    "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
+    "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
+    "approvalsEmptyStateButtonText": "Spravovat role"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -18,6 +18,8 @@
    "componentsMember": "Du bist Mitglied von {count, plural, =0 {keiner Organisation} one {einer Organisation} other {# Organisationen}}.",
    "componentsInvalidKey": "Ungültige oder abgelaufene Lizenzschlüssel erkannt. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "dismiss": "Verwerfen",
+    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Webseiten, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
+    "subscriptionViolationViewBilling": "Rechnung anzeigen",
    "componentsLicenseViolation": "Lizenzverstoß: Dieser Server benutzt {usedSites} Standorte, was das Lizenzlimit von {maxSites} Standorten überschreitet. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "componentsSupporterMessage": "Vielen Dank für die Unterstützung von Pangolin als {tier}!",
    "inviteErrorNotValid": "Es tut uns leid, aber es sieht so aus, als wäre die Einladung, auf die du zugreifen möchtest, entweder nicht angenommen worden oder nicht mehr gültig.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Verbinde ein beliebiges Netzwerk",
    "sitesBannerDescription": "Ein Standort ist eine Verbindung zu einem Remote-Netzwerk, die es Pangolin ermöglicht, Zugriff auf öffentliche oder private Ressourcen für Benutzer überall zu gewähren. Installieren Sie den Site Netzwerk Connector (Newt) wo auch immer Sie eine Binärdatei oder einen Container starten können, um die Verbindung herzustellen.",
    "sitesBannerButtonText": "Standort installieren",
+    "approvalsBannerTitle": "Gerätezugriff genehmigen oder verweigern",
+    "approvalsBannerDescription": "Überprüfen und genehmigen oder verweigern Gerätezugriffsanfragen von Benutzern. Wenn Gerätegenehmigungen erforderlich sind, müssen Benutzer eine Administratorgenehmigung erhalten, bevor ihre Geräte sich mit den Ressourcen Ihrer Organisation verbinden können.",
+    "approvalsBannerButtonText": "Mehr erfahren",
    "siteCreate": "Standort erstellen",
    "siteCreateDescription2": "Folge den nachfolgenden Schritten, um einen neuen Standort zu erstellen und zu verbinden",
    "siteCreateDescription": "Erstellen Sie einen neuen Standort, um Ressourcen zu verbinden",
@@ -94,7 +99,7 @@
    "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
    "siteSettingDescription": "Standorteinstellungen konfigurieren",
    "siteSetting": "{siteName} Einstellungen",
-    "siteNewtTunnel": "Neuer Standort (empfohlen)",
+    "siteNewtTunnel": "Newt Standort (empfohlen)",
    "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
    "siteWg": "Einfacher WireGuard Tunnel",
    "siteWgDescription": "Verwende jeden WireGuard-Client, um einen Tunnel einzurichten. Manuelles NAT-Setup erforderlich.",
@@ -104,7 +109,7 @@
    "siteSeeAll": "Alle Standorte anzeigen",
    "siteTunnelDescription": "Legen Sie fest, wie Sie sich mit dem Standort verbinden möchten",
    "siteNewtCredentials": "Zugangsdaten",
-    "siteNewtCredentialsDescription": "So wird sich die Seite mit dem Server authentifizieren",
+    "siteNewtCredentialsDescription": "So wird sich der Standort mit dem Server authentifizieren",
    "remoteNodeCredentialsDescription": "So wird sich der entfernte Node mit dem Server authentifizieren",
    "siteCredentialsSave": "Anmeldedaten speichern",
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Rollen suchen...",
    "accessRolesAdd": "Rolle hinzufügen",
    "accessRoleDelete": "Rolle löschen",
+    "accessApprovalsManage": "Genehmigungen verwalten",
+    "accessApprovalsDescription": "Zeige und verwalte ausstehende Genehmigungen für den Zugriff auf diese Organisation",
    "description": "Beschreibung",
    "inviteTitle": "Einladungen öffnen",
    "inviteDescription": "Einladungen für andere Benutzer verwalten, der Organisation beizutreten",
@@ -450,6 +457,18 @@
    "selectDuration": "Dauer auswählen",
    "selectResource": "Ressource auswählen",
    "filterByResource": "Nach Ressource filtern",
+    "selectApprovalState": "Genehmigungsstatus auswählen",
+    "filterByApprovalState": "Filtern nach Genehmigungsstatus",
+    "approvalListEmpty": "Keine Genehmigungen",
+    "approvalState": "Genehmigungsstatus",
+    "approve": "Bestätigen",
+    "approved": "Genehmigt",
+    "denied": "Verweigert",
+    "deniedApproval": "Genehmigung verweigert",
+    "all": "Alle",
+    "deny": "Leugnen",
+    "viewDetails": "Details anzeigen",
+    "requestingNewDeviceApproval": "hat ein neues Gerät angefordert",
    "resetFilters": "Filter zurücksetzen",
    "totalBlocked": "Anfragen blockiert von Pangolin",
    "totalRequests": "Gesamte Anfragen",
@@ -729,16 +748,28 @@
    "countries": "Länder",
    "accessRoleCreate": "Rolle erstellen",
    "accessRoleCreateDescription": "Erstellen Sie eine neue Rolle, um Benutzer zu gruppieren und ihre Berechtigungen zu verwalten.",
+    "accessRoleEdit": "Rolle bearbeiten",
+    "accessRoleEditDescription": "Rolleninformationen bearbeiten.",
    "accessRoleCreateSubmit": "Rolle erstellen",
    "accessRoleCreated": "Rolle erstellt",
    "accessRoleCreatedDescription": "Die Rolle wurde erfolgreich erstellt.",
    "accessRoleErrorCreate": "Fehler beim Erstellen der Rolle",
    "accessRoleErrorCreateDescription": "Beim Erstellen der Rolle ist ein Fehler aufgetreten.",
+    "accessRoleUpdateSubmit": "Rolle aktualisieren",
+    "accessRoleUpdated": "Rolle aktualisiert",
+    "accessRoleUpdatedDescription": "Die Rolle wurde erfolgreich aktualisiert.",
+    "accessApprovalUpdated": "Genehmigung bearbeitet",
+    "accessApprovalApprovedDescription": "Entscheidung für Genehmigungsanfrage setzen.",
+    "accessApprovalDeniedDescription": "Entscheidung für Genehmigungsanfrage ablehnen.",
+    "accessRoleErrorUpdate": "Fehler beim Aktualisieren der Rolle",
+    "accessRoleErrorUpdateDescription": "Beim Aktualisieren der Rolle ist ein Fehler aufgetreten.",
+    "accessApprovalErrorUpdate": "Genehmigung konnte nicht verarbeitet werden",
+    "accessApprovalErrorUpdateDescription": "Bei der Bearbeitung der Genehmigung ist ein Fehler aufgetreten.",
    "accessRoleErrorNewRequired": "Neue Rolle ist erforderlich",
    "accessRoleErrorRemove": "Fehler beim Entfernen der Rolle",
    "accessRoleErrorRemoveDescription": "Beim Entfernen der Rolle ist ein Fehler aufgetreten.",
    "accessRoleName": "Rollenname",
-    "accessRoleQuestionRemove": "Sie sind dabei, die Rolle {name} zu löschen. Diese Aktion kann nicht rückgängig gemacht werden.",
+    "accessRoleQuestionRemove": "Du bist dabei die Rolle `{name}` zu löschen. Du kannst diese Aktion nicht rückgängig machen.",
    "accessRoleRemove": "Rolle entfernen",
    "accessRoleRemoveDescription": "Eine Rolle aus der Organisation entfernen",
    "accessRoleRemoveSubmit": "Rolle entfernen",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Diese Organisation erfordert, dass Sie Ihr Passwort alle {maxDays} Tage ändern.",
    "changePasswordNow": "Passwort jetzt ändern",
    "pincodeAuth": "Authentifizierungscode",
-    "pincodeSubmit2": "Code absenden",
+    "pincodeSubmit2": "Code einreichen",
    "passwordResetSubmit": "Zurücksetzung anfordern",
    "passwordResetAlreadyHaveCode": "Code eingeben",
    "passwordResetSmtpRequired": "Bitte kontaktieren Sie Ihren Administrator",
    "passwordResetSmtpRequiredDescription": "Zum Zurücksetzen Ihres Passworts ist ein Passwort erforderlich. Bitte wenden Sie sich an Ihren Administrator.",
    "passwordBack": "Zurück zum Passwort",
-    "loginBack": "Zurück zur Anmeldung",
+    "loginBack": "Zurück zur Haupt-Login-Seite",
    "signup": "Registrieren",
    "loginStart": "Melden Sie sich an, um zu beginnen",
    "idpOidcTokenValidating": "OIDC-Token wird validiert",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "IDP-Organisation aktualisieren",
    "actionCreateClient": "Client erstellen",
    "actionDeleteClient": "Client löschen",
+    "actionArchiveClient": "Client archivieren",
+    "actionUnarchiveClient": "Client dearchivieren",
+    "actionBlockClient": "Klient sperren",
+    "actionUnblockClient": "Client entsperren",
    "actionUpdateClient": "Client aktualisieren",
    "actionListClients": "Clients auflisten",
    "actionGetClient": "Clients abrufen",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Suche...",
    "create": "Erstellen",
    "orgs": "Organisationen",
-    "loginError": "Beim Anmelden ist ein Fehler aufgetreten",
-    "loginRequiredForDevice": "Zur Authentifizierung Ihres Geräts ist eine Anmeldung erforderlich",
+    "loginError": "Ein unerwarteter Fehler ist aufgetreten. Bitte versuchen Sie es erneut.",
+    "loginRequiredForDevice": "Anmeldung ist für Ihr Gerät erforderlich.",
    "passwordForgot": "Passwort vergessen?",
    "otpAuth": "Zwei-Faktor-Authentifizierung",
    "otpAuthDescription": "Geben Sie den Code aus Ihrer Authenticator-App oder einen Ihrer einmaligen Backup-Codes ein.",
    "otpAuthSubmit": "Code absenden",
    "idpContinue": "Oder weiter mit",
-    "otpAuthBack": "Zurück zur Anmeldung",
+    "otpAuthBack": "Zurück zum Passwort",
    "navbar": "Navigationsmenü",
    "navbarDescription": "Hauptnavigationsmenü für die Anwendung",
    "navbarDocsLink": "Dokumentation",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Übersicht",
    "sidebarHome": "Zuhause",
    "sidebarSites": "Standorte",
+    "sidebarApprovals": "Genehmigungsanfragen",
    "sidebarResources": "Ressourcen",
    "sidebarProxyResources": "Öffentlich",
    "sidebarClientResources": "Privat",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Identitätsanbieter",
    "sidebarLicense": "Lizenz",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Benutzergeräte",
+    "sidebarUserDevices": "Benutzer-Geräte",
    "sidebarMachineClients": "Maschinen",
    "sidebarDomains": "Domänen",
    "sidebarGeneral": "Verwalten",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Beim Erstellen des Server-Admin-Kontos ist ein Fehler aufgetreten.",
    "certificateStatus": "Zertifikatsstatus",
    "loading": "Laden",
+    "loadingAnalytics": "Analytik wird geladen",
    "restart": "Neustart",
    "domains": "Domänen",
    "domainsDescription": "Erstellen und verwalten der in der Organisation verfügbaren Domänen",
@@ -1304,6 +1341,7 @@
    "refreshError": "Datenaktualisierung fehlgeschlagen",
    "verified": "Verifiziert",
    "pending": "Ausstehend",
+    "pendingApproval": "Ausstehende Genehmigung",
    "sidebarBilling": "Abrechnung",
    "billing": "Abrechnung",
    "orgBillingDescription": "Zahlungsinformationen und Abonnements verwalten",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Übersicht über Nutzungsgrenzen",
    "billingMonitorUsage": "Überwachen Sie Ihren Verbrauch im Vergleich zu konfigurierten Grenzwerten. Wenn Sie eine Erhöhung der Limits benötigen, kontaktieren Sie uns bitte support@pangolin.net.",
    "billingDataUsage": "Datenverbrauch",
-    "billingOnlineTime": "Online-Zeit der Seite",
-    "billingUsers": "Aktive Benutzer",
-    "billingDomains": "Aktive Domains",
-    "billingRemoteExitNodes": "Aktive selbstgehostete Nodes",
+    "billingSites": "Seiten",
+    "billingUsers": "Benutzergeräte",
+    "billingDomains": "Domänen",
+    "billingRemoteExitNodes": "Entfernte Knoten",
    "billingNoLimitConfigured": "Kein Limit konfiguriert",
    "billingEstimatedPeriod": "Geschätzter Abrechnungszeitraum",
    "billingIncludedUsage": "Inklusive Nutzung",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Fehler beim Abrufen der Portal-URL",
    "billingPortalError": "Portalfehler",
    "billingDataUsageInfo": "Wenn Sie mit der Cloud verbunden sind, werden alle Daten über Ihre sicheren Tunnel belastet. Dies schließt eingehenden und ausgehenden Datenverkehr über alle Ihre Websites ein. Wenn Sie Ihr Limit erreichen, werden Ihre Seiten die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Daten werden nicht belastet, wenn Sie Knoten verwenden.",
-    "billingOnlineTimeInfo": "Sie werden belastet, abhängig davon, wie lange Ihre Seiten mit der Cloud verbunden bleiben. Zum Beispiel 44.640 Minuten entspricht einer Site, die 24 Stunden am Tag des Monats läuft. Wenn Sie Ihr Limit erreichen, werden Ihre Seiten die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Die Zeit wird nicht belastet, wenn Sie Knoten verwenden.",
-    "billingUsersInfo": "Sie werden für jeden Benutzer in der Organisation berechnet. Die Abrechnung wird täglich anhand der Anzahl der aktiven Benutzerkonten in Ihrer Org berechnet.",
-    "billingDomainInfo": "Sie werden für jede Domain in der Organisation berechnet. Die Abrechnung wird täglich anhand der Anzahl der aktiven Domain-Konten in Ihrer Org berechnet.",
-    "billingRemoteExitNodesInfo": "Sie werden für jeden verwalteten Knoten in der Organisation berechnet. Die Abrechnung wird täglich anhand der Anzahl der aktiven verwalteten Knoten in Ihrer Org berechnet.",
+    "billingSInfo": "Anzahl der Sites die Sie verwenden können",
+    "billingUsersInfo": "Wie viele Benutzer Sie verwenden können",
+    "billingDomainInfo": "Wie viele Domains Sie verwenden können",
+    "billingRemoteExitNodesInfo": "Wie viele entfernte Knoten Sie verwenden können",
+    "billingLicenseKeys": "Lizenzschlüssel",
+    "billingLicenseKeysDescription": "Verwalten Sie Ihre Lizenzschlüssel Abonnements",
+    "billingLicenseSubscription": "Lizenzabonnement",
+    "billingInactive": "Inaktiv",
+    "billingLicenseItem": "Lizenz-Element",
+    "billingQuantity": "Menge",
+    "billingTotal": "gesamt",
+    "billingModifyLicenses": "Lizenzabonnement ändern",
    "domainNotFound": "Domain nicht gefunden",
    "domainNotFoundDescription": "Diese Ressource ist deaktiviert, weil die Domain nicht mehr in unserem System existiert. Bitte setzen Sie eine neue Domain für diese Ressource.",
    "failed": "Fehlgeschlagen",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Sicherheitsschlüssel erfolgreich entfernt",
    "securityKeyRemoveError": "Fehler beim Entfernen des Sicherheitsschlüssels",
    "securityKeyLoadError": "Fehler beim Laden der Sicherheitsschlüssel",
-    "securityKeyLogin": "Mit dem Sicherheitsschlüssel fortfahren",
+    "securityKeyLogin": "Sicherheitsschlüssel verwenden",
    "securityKeyAuthError": "Fehler bei der Authentifizierung mit Sicherheitsschlüssel",
    "securityKeyRecommendation": "Erwägen Sie die Registrierung eines weiteren Sicherheitsschlüssels auf einem anderen Gerät, um sicherzustellen, dass Sie sich nicht aus Ihrem Konto aussperren.",
    "registering": "Registrierung...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Portnummer ist für nicht-HTTP-Ressourcen erforderlich",
    "resourcePortNotAllowed": "Portnummer sollte für HTTP-Ressourcen nicht gesetzt werden",
    "billingPricingCalculatorLink": "Preisrechner",
+    "billingYourPlan": "Ihr Plan",
+    "billingViewOrModifyPlan": "Zeige oder ändere dein aktuelles Paket",
+    "billingViewPlanDetails": "Plan Details anzeigen",
+    "billingUsageAndLimits": "Nutzung und Einschränkungen",
+    "billingViewUsageAndLimits": "Schau dir die Grenzen und die aktuelle Nutzung deines Plans an",
+    "billingCurrentUsage": "Aktuelle Nutzung",
+    "billingMaximumLimits": "Maximale Grenzen",
+    "billingRemoteNodes": "Entfernte Knoten",
+    "billingUnlimited": "Unbegrenzt",
+    "billingPaidLicenseKeys": "Bezahlte Lizenzschlüssel",
+    "billingManageLicenseSubscription": "Verwalten Sie Ihr Abonnement für kostenpflichtige selbstgehostete Lizenzschlüssel",
+    "billingCurrentKeys": "Aktuelle Tasten",
+    "billingModifyCurrentPlan": "Aktuelles Paket ändern",
+    "billingConfirmUpgrade": "Upgrade bestätigen",
+    "billingConfirmDowngrade": "Downgrade bestätigen",
+    "billingConfirmUpgradeDescription": "Sie sind dabei, Ihr Paket zu aktualisieren. Schauen Sie sich die neuen Limits und Preise unten an.",
+    "billingConfirmDowngradeDescription": "Sie sind dabei, Ihren Plan herunterzustufen. Überprüfen Sie die neuen Limits und Preise unten.",
+    "billingPlanIncludes": "Plan beinhaltet",
+    "billingProcessing": "Verarbeitung...",
+    "billingConfirmUpgradeButton": "Upgrade bestätigen",
+    "billingConfirmDowngradeButton": "Downgrade bestätigen",
+    "billingLimitViolationWarning": "Nutzung überschreitet neue Plan-Grenzen",
+    "billingLimitViolationDescription": "Ihre aktuelle Nutzung überschreitet die Grenzen dieses Plans. Nach dem Downgrade werden alle Aktionen deaktiviert, bis Sie die Nutzung innerhalb der neuen Grenzen reduzieren. Bitte überprüfen Sie die Funktionen unten, die derzeit über den Grenzen liegen. Grenzwerte verletzen:",
+    "billingFeatureLossWarning": "Verfügbarkeitshinweis",
+    "billingFeatureLossDescription": "Durch Herabstufung werden Funktionen, die im neuen Paket nicht verfügbar sind, automatisch deaktiviert. Einige Einstellungen und Konfigurationen können verloren gehen. Bitte überprüfen Sie die Preismatrix um zu verstehen, welche Funktionen nicht mehr verfügbar sein werden.",
+    "billingUsageExceedsLimit": "Aktuelle Nutzung ({current}) überschreitet das Limit ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Ich stimme den",
        "termsOfService": "Nutzungsbedingungen zu",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Gesunder Intervall",
    "timeoutSeconds": "Timeout (Sek.)",
    "timeIsInSeconds": "Zeit ist in Sekunden",
+    "requireDeviceApproval": "Gerätegenehmigungen erforderlich",
+    "requireDeviceApprovalDescription": "Benutzer mit dieser Rolle benötigen neue Geräte, die von einem Administrator genehmigt wurden, bevor sie sich verbinden und auf Ressourcen zugreifen können.",
    "retryAttempts": "Wiederholungsversuche",
    "expectedResponseCodes": "Erwartete Antwortcodes",
    "expectedResponseCodesDescription": "HTTP-Statuscode, der einen gesunden Zustand anzeigt. Wenn leer gelassen, wird 200-300 als gesund angesehen.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Keine internen Ressourcen gefunden.",
    "resourcesTableDestination": "Ziel",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias-Adresse",
+    "resourcesTableAliasAddressInfo": "Diese Adresse ist Teil des Utility-Subnetzes der Organisation. Sie wird verwendet, um Alias-Einträge mit interner DNS-Auflösung aufzulösen.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "und sind nur intern zugänglich, wenn mit einem Client verbunden.",
    "resourcesTableNoTargets": "Keine Ziele",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Zurück zum Standard Login",
    "orgAuthNoAccount": "Sie haben noch kein Konto?",
    "subscriptionRequiredToUse": "Um diese Funktion nutzen zu können, ist ein Abonnement erforderlich.",
+    "mustUpgradeToUse": "Sie müssen Ihr Abonnement aktualisieren, um diese Funktion nutzen zu können.",
+    "subscriptionRequiredTierToUse": "Diese Funktion erfordert <tierLink>{tier}</tierLink> oder höher.",
+    "upgradeToTierToUse": "Upgrade auf <tierLink>{tier}</tierLink> oder höher, um diese Funktion zu nutzen.",
+    "subscriptionTierTier1": "Zuhause",
+    "subscriptionTierTier2": "Team",
+    "subscriptionTierTier3": "Geschäftlich",
+    "subscriptionTierEnterprise": "Firma",
    "idpDisabled": "Identitätsanbieter sind deaktiviert.",
    "orgAuthPageDisabled": "Organisations-Authentifizierungsseite ist deaktiviert.",
    "domainRestartedDescription": "Domain-Verifizierung erfolgreich neu gestartet",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Lizenz erhalten",
+        "description": "Wählen Sie einen Plan und teilen Sie uns mit, wie Sie Pangolin verwenden möchten.",
+        "chooseTier": "Wählen Sie Ihren Plan",
+        "viewPricingLink": "Siehe Preise, Funktionen und Limits",
+        "tiers": {
+            "starter": {
+                "title": "Starter",
+                "description": "Enterprise Features, 25 Benutzer, 25 Sites und Community-Unterstützung."
+            },
+            "scale": {
+                "title": "Maßstab",
+                "description": "Enterprise Features, 50 Benutzer, 50 Sites und Prioritätsunterstützung."
+            }
+        },
+        "personalUseOnly": "Nur persönliche Nutzung (kostenlose Lizenz — keine Kasse)",
+        "buttons": {
+            "continueToCheckout": "Weiter zur Kasse"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Checkout-Fehler",
+                "description": "Kasse konnte nicht gestartet werden. Bitte versuchen Sie es erneut."
+            }
+        }
+    },
    "priority": "Priorität",
    "priorityDescription": "Die Routen mit höherer Priorität werden zuerst ausgewertet. Priorität = 100 bedeutet automatische Bestellung (Systementscheidung). Verwenden Sie eine andere Nummer, um manuelle Priorität zu erzwingen.",
    "instanceName": "Instanzname",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
    "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
    "licenseRequiredToUse": "Um diese Funktion nutzen zu können, ist eine Enterprise-Lizenz erforderlich.",
+    "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können.",
    "certResolver": "Zertifikatsauflöser",
    "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
    "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Code muss 9 Zeichen lang sein (z.B. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ungültiger oder abgelaufener Code",
    "deviceCodeVerifyFailed": "Fehler beim Überprüfen des Gerätecodes",
+    "deviceCodeValidating": "Überprüfe Gerätecode...",
+    "deviceCodeVerifying": "Geräteautorisierung wird überprüft...",
    "signedInAs": "Angemeldet als",
    "deviceCodeEnterPrompt": "Geben Sie den auf dem Gerät angezeigten Code ein",
    "continue": "Weiter",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Zugriff auf alle Organisationen, auf die Ihr Konto Zugriff hat",
    "deviceAuthorize": "{applicationName} autorisieren",
    "deviceConnected": "Gerät verbunden!",
-    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen.",
+    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen. Bitte kehren Sie zur Client-Anwendung zurück.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Geräte anzeigen",
    "viewDevicesDescription": "Verwalten Sie Ihre verbundenen Geräte",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Nicht du? Verwenden Sie ein anderes Konto.",
    "deviceLoginDeviceRequestingAccessToAccount": "Ein Gerät fordert Zugriff auf dieses Konto an.",
+    "loginSelectAuthenticationMethod": "Wählen Sie eine Authentifizierungsmethode aus, um fortzufahren.",
    "noData": "Keine Daten",
    "machineClients": "Maschinen-Clients",
    "install": "Installieren",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Dienst vorübergehend nicht verfügbar",
    "maintenanceScreenMessage": "Wir haben derzeit technische Schwierigkeiten. Bitte schauen Sie bald noch einmal vorbei.",
    "maintenanceScreenEstimatedCompletion": "Geschätzter Abschluss:",
-    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich"
+    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich",
+    "available": "Verfügbar",
+    "archived": "Archiviert",
+    "noArchivedDevices": "Keine archivierten Geräte gefunden",
+    "deviceArchived": "Gerät archiviert",
+    "deviceArchivedDescription": "Das Gerät wurde erfolgreich archiviert.",
+    "errorArchivingDevice": "Fehler beim Archivieren des Geräts",
+    "failedToArchiveDevice": "Archivierung des Geräts fehlgeschlagen",
+    "deviceQuestionArchive": "Sind Sie sicher, dass Sie dieses Gerät archivieren möchten?",
+    "deviceMessageArchive": "Das Gerät wird archiviert und aus Ihrer Liste der aktiven Geräte entfernt.",
+    "deviceArchiveConfirm": "Gerät archivieren",
+    "archiveDevice": "Gerät archivieren",
+    "archive": "Archiv",
+    "deviceUnarchived": "Gerät nicht archiviert",
+    "deviceUnarchivedDescription": "Das Gerät wurde erfolgreich deinstalliert.",
+    "errorUnarchivingDevice": "Fehler beim Entarchivieren des Geräts",
+    "failedToUnarchiveDevice": "Fehler beim Entfernen des Geräts",
+    "unarchive": "Archivieren",
+    "archiveClient": "Client archivieren",
+    "archiveClientQuestion": "Sind Sie sicher, dass Sie diesen Client archivieren möchten?",
+    "archiveClientMessage": "Der Client wird archiviert und aus der Liste Ihrer aktiven Clients entfernt.",
+    "archiveClientConfirm": "Client archivieren",
+    "blockClient": "Klient sperren",
+    "blockClientQuestion": "Sind Sie sicher, dass Sie diesen Client blockieren möchten?",
+    "blockClientMessage": "Das Gerät wird gezwungen, die Verbindung zu trennen, wenn es gerade verbunden ist. Sie können das Gerät später entsperren.",
+    "blockClientConfirm": "Klient sperren",
+    "active": "Aktiv",
+    "usernameOrEmail": "Benutzername oder E-Mail",
+    "selectYourOrganization": "Wählen Sie Ihre Organisation",
+    "signInTo": "Einloggen in",
+    "signInWithPassword": "Mit Passwort fortfahren",
+    "noAuthMethodsAvailable": "Keine Authentifizierungsmethoden für diese Organisation verfügbar.",
+    "enterPassword": "Geben Sie Ihr Passwort ein",
+    "enterMfaCode": "Geben Sie den Code aus Ihrer Authentifizierungs-App ein",
+    "securityKeyRequired": "Bitte verwenden Sie Ihren Sicherheitsschlüssel zum Anmelden.",
+    "needToUseAnotherAccount": "Benötigen Sie ein anderes Konto?",
+    "loginLegalDisclaimer": "Indem Sie auf die Buttons unten klicken, bestätigen Sie, dass Sie gelesen haben, verstehen, und stimmen den <termsOfService>Nutzungsbedingungen</termsOfService> und <privacyPolicy>Datenschutzrichtlinien</privacyPolicy> zu.",
+    "termsOfService": "Nutzungsbedingungen",
+    "privacyPolicy": "Datenschutzerklärung",
+    "userNotFoundWithUsername": "Kein Benutzer mit diesem Benutzernamen gefunden.",
+    "verify": "Überprüfen",
+    "signIn": "Anmelden",
+    "forgotPassword": "Passwort vergessen?",
+    "orgSignInTip": "Wenn Sie sich vorher angemeldet haben, können Sie Ihren Benutzernamen oder Ihre E-Mail-Adresse eingeben, um sich stattdessen beim Identifikationsprovider Ihrer Organisation zu authentifizieren. Es ist einfacher!",
+    "continueAnyway": "Trotzdem fortfahren",
+    "dontShowAgain": "Nicht mehr anzeigen",
+    "orgSignInNotice": "Wussten Sie schon?",
+    "signupOrgNotice": "Versucht sich anzumelden?",
+    "signupOrgTip": "Versuchen Sie, sich über den Identitätsanbieter Ihrer Organisation anzumelden?",
+    "signupOrgLink": "Melden Sie sich an oder melden Sie sich stattdessen bei Ihrer Organisation an",
+    "verifyEmailLogInWithDifferentAccount": "Anderes Konto verwenden",
+    "logIn": "Anmelden",
+    "deviceInformation": "Geräteinformationen",
+    "deviceInformationDescription": "Informationen über das Gerät und den Agent",
+    "deviceSecurity": "Gerätesicherheit",
+    "deviceSecurityDescription": "Informationen zur Gerätesicherheit",
+    "platform": "Plattform",
+    "macosVersion": "macOS-Version",
+    "windowsVersion": "Windows-Version",
+    "iosVersion": "iOS-Version",
+    "androidVersion": "Android-Version",
+    "osVersion": "OS-Version",
+    "kernelVersion": "Kernel-Version",
+    "deviceModel": "Gerätemodell",
+    "serialNumber": "Seriennummer",
+    "hostname": "Hostname",
+    "firstSeen": "Zuerst gesehen",
+    "lastSeen": "Zuletzt gesehen",
+    "biometricsEnabled": "Biometrie aktiviert",
+    "diskEncrypted": "Festplatte verschlüsselt",
+    "firewallEnabled": "Firewall aktiviert",
+    "autoUpdatesEnabled": "Automatische Updates aktiviert",
+    "tpmAvailable": "TPM verfügbar",
+    "windowsAntivirusEnabled": "Antivirus aktiviert",
+    "macosSipEnabled": "Schutz der Systemintegrität (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Stealth-Modus",
+    "linuxAppArmorEnabled": "AppRüstung",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Geräteinformationen und -einstellungen anzeigen",
+    "devicePendingApprovalDescription": "Dieses Gerät wartet auf Freigabe",
+    "deviceBlockedDescription": "Dieses Gerät ist derzeit gesperrt. Es kann keine Verbindung zu anderen Ressourcen herstellen, es sei denn, es entsperrt.",
+    "unblockClient": "Client entsperren",
+    "unblockClientDescription": "Das Gerät wurde entsperrt",
+    "unarchiveClient": "Client dearchivieren",
+    "unarchiveClientDescription": "Das Gerät wurde nicht archiviert",
+    "block": "Blockieren",
+    "unblock": "Entsperren",
+    "deviceActions": "Geräte-Aktionen",
+    "deviceActionsDescription": "Gerätestatus und Zugriff verwalten",
+    "devicePendingApprovalBannerDescription": "Dieses Gerät wartet auf Genehmigung. Es kann sich erst mit Ressourcen verbinden.",
+    "connected": "Verbunden",
+    "disconnected": "Verbindung getrennt",
+    "approvalsEmptyStateTitle": "Gerätezulassungen nicht aktiviert",
+    "approvalsEmptyStateDescription": "Aktiviere Gerätegenehmigungen für Rollen, um Administratorgenehmigungen zu benötigen, bevor Benutzer neue Geräte verbinden können.",
+    "approvalsEmptyStateStep1Title": "Gehe zu Rollen",
+    "approvalsEmptyStateStep1Description": "Navigieren Sie zu den Rolleneinstellungen Ihrer Organisation, um die Gerätefreigaben zu konfigurieren.",
+    "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
+    "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
+    "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
+    "approvalsEmptyStateButtonText": "Rollen verwalten"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -18,6 +18,8 @@
    "componentsMember": "You're a member of {count, plural, =0 {no organization} one {one organization} other {# organizations}}.",
    "componentsInvalidKey": "Invalid or expired license keys detected. Follow license terms to continue using all features.",
    "dismiss": "Dismiss",
+    "subscriptionViolationMessage": "You're beyond your limits for your current plan. Correct the problem by removing sites, users, or other resources to stay within your plan.",
+    "subscriptionViolationViewBilling": "View billing",
    "componentsLicenseViolation": "License Violation: This server is using {usedSites} sites which exceeds its licensed limit of {maxSites} sites. Follow license terms to continue using all features.",
    "componentsSupporterMessage": "Thank you for supporting Pangolin as a {tier}!",
    "inviteErrorNotValid": "We're sorry, but it looks like the invite you're trying to access has not been accepted or is no longer valid.",
@@ -55,7 +57,10 @@
    "siteDescription": "Create and manage sites to enable connectivity to private networks",
    "sitesBannerTitle": "Connect Any Network",
    "sitesBannerDescription": "A site is a connection to a remote network that allows Pangolin to provide access to resources, whether public or private, to users anywhere. Install the site network connector (Newt) anywhere you can run a binary or container to establish the connection.",
-    "sitesBannerButtonText": "Install Site",
+    "sitesBannerButtonText": "Install Site Connector",
+    "approvalsBannerTitle": "Approve or Deny Device Access",
+    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
+    "approvalsBannerButtonText": "Learn More",
    "siteCreate": "Create Site",
    "siteCreateDescription2": "Follow the steps below to create and connect a new site",
    "siteCreateDescription": "Create a new site to start connecting resources",
@@ -76,8 +81,8 @@
    "siteConfirmCopy": "I have copied the config",
    "searchSitesProgress": "Search sites...",
    "siteAdd": "Add Site",
-    "siteInstallNewt": "Install Newt",
-    "siteInstallNewtDescription": "Get Newt running on your system",
+    "siteInstallNewt": "Install Site",
+    "siteInstallNewtDescription": "Install the site connector for your system",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Search roles...",
    "accessRolesAdd": "Add Role",
    "accessRoleDelete": "Delete Role",
+    "accessApprovalsManage": "Manage Approvals",
+    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
    "description": "Description",
    "inviteTitle": "Open Invitations",
    "inviteDescription": "Manage invitations for other users to join the organization",
@@ -450,6 +457,18 @@
    "selectDuration": "Select duration",
    "selectResource": "Select Resource",
    "filterByResource": "Filter By Resource",
+    "selectApprovalState": "Select Approval State",
+    "filterByApprovalState": "Filter By Approval State",
+    "approvalListEmpty": "No approvals",
+    "approvalState": "Approval State",
+    "approve": "Approve",
+    "approved": "Approved",
+    "denied": "Denied",
+    "deniedApproval": "Denied Approval",
+    "all": "All",
+    "deny": "Deny",
+    "viewDetails": "View Details",
+    "requestingNewDeviceApproval": "requested a new device",
    "resetFilters": "Reset Filters",
    "totalBlocked": "Requests Blocked By Pangolin",
    "totalRequests": "Total Requests",
@@ -729,16 +748,28 @@
    "countries": "Countries",
    "accessRoleCreate": "Create Role",
    "accessRoleCreateDescription": "Create a new role to group users and manage their permissions.",
+    "accessRoleEdit": "Edit Role",
+    "accessRoleEditDescription": "Edit role information.",
    "accessRoleCreateSubmit": "Create Role",
    "accessRoleCreated": "Role created",
    "accessRoleCreatedDescription": "The role has been successfully created.",
    "accessRoleErrorCreate": "Failed to create role",
    "accessRoleErrorCreateDescription": "An error occurred while creating the role.",
+    "accessRoleUpdateSubmit": "Update Role",
+    "accessRoleUpdated": "Role updated",
+    "accessRoleUpdatedDescription": "The role has been successfully updated.",
+    "accessApprovalUpdated": "Approval processed",
+    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
+    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
+    "accessRoleErrorUpdate": "Failed to update role",
+    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
+    "accessApprovalErrorUpdate": "Failed to process approval",
+    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
    "accessRoleErrorNewRequired": "New role is required",
    "accessRoleErrorRemove": "Failed to remove role",
    "accessRoleErrorRemoveDescription": "An error occurred while removing the role.",
    "accessRoleName": "Role Name",
-    "accessRoleQuestionRemove": "You're about to delete the {name} role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
    "accessRoleRemove": "Remove Role",
    "accessRoleRemoveDescription": "Remove a role from the organization",
    "accessRoleRemoveSubmit": "Remove Role",
@@ -874,7 +905,7 @@
    "inviteAlready": "Looks like you've been invited!",
    "inviteAlreadyDescription": "To accept the invite, you must log in or create an account.",
    "signupQuestion": "Already have an account?",
-    "login": "Log in",
+    "login": "Log In",
    "resourceNotFound": "Resource Not Found",
    "resourceNotFoundDescription": "The resource you're trying to access does not exist.",
    "pincodeRequirementsLength": "PIN must be exactly 6 digits",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "This organization requires you to change your password every {maxDays} days.",
    "changePasswordNow": "Change Password Now",
    "pincodeAuth": "Authenticator Code",
-    "pincodeSubmit2": "Submit Code",
+    "pincodeSubmit2": "Submit code",
    "passwordResetSubmit": "Request Reset",
    "passwordResetAlreadyHaveCode": "Enter Code",
    "passwordResetSmtpRequired": "Please contact your administrator",
    "passwordResetSmtpRequiredDescription": "A password reset code is required to reset your password. Please contact your administrator for assistance.",
    "passwordBack": "Back to Password",
-    "loginBack": "Go back to log in",
+    "loginBack": "Go back to main login page",
    "signup": "Sign up",
    "loginStart": "Log in to get started",
    "idpOidcTokenValidating": "Validating OIDC token",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Update IDP Org",
    "actionCreateClient": "Create Client",
    "actionDeleteClient": "Delete Client",
+    "actionArchiveClient": "Archive Client",
+    "actionUnarchiveClient": "Unarchive Client",
+    "actionBlockClient": "Block Client",
+    "actionUnblockClient": "Unblock Client",
    "actionUpdateClient": "Update Client",
    "actionListClients": "List Clients",
    "actionGetClient": "Get Client",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Search...",
    "create": "Create",
    "orgs": "Organizations",
-    "loginError": "An error occurred while logging in",
-    "loginRequiredForDevice": "Login is required to authenticate your device.",
+    "loginError": "An unexpected error occurred. Please try again.",
+    "loginRequiredForDevice": "Login is required for your device.",
    "passwordForgot": "Forgot your password?",
    "otpAuth": "Two-Factor Authentication",
    "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
    "otpAuthSubmit": "Submit Code",
    "idpContinue": "Or continue with",
-    "otpAuthBack": "Back to Log In",
+    "otpAuthBack": "Back to Password",
    "navbar": "Navigation Menu",
    "navbarDescription": "Main navigation menu for the application",
    "navbarDocsLink": "Documentation",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Overview",
    "sidebarHome": "Home",
    "sidebarSites": "Sites",
+    "sidebarApprovals": "Approval Requests",
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Identity Providers",
    "sidebarLicense": "License",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Users",
+    "sidebarUserDevices": "User Devices",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domains",
    "sidebarGeneral": "Manage",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "An error occurred while creating the server admin account.",
    "certificateStatus": "Certificate Status",
    "loading": "Loading",
+    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
    "domainsDescription": "Create and manage domains available in the organization",
@@ -1304,6 +1341,7 @@
    "refreshError": "Failed to refresh data",
    "verified": "Verified",
    "pending": "Pending",
+    "pendingApproval": "Pending Approval",
    "sidebarBilling": "Billing",
    "billing": "Billing",
    "orgBillingDescription": "Manage billing information and subscriptions",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Usage Limits Overview",
    "billingMonitorUsage": "Monitor your usage against configured limits. If you need limits increased please contact us support@pangolin.net.",
    "billingDataUsage": "Data Usage",
-    "billingOnlineTime": "Site Online Time",
-    "billingUsers": "Active Users",
-    "billingDomains": "Active Domains",
-    "billingRemoteExitNodes": "Active Self-hosted Nodes",
+    "billingSites": "Sites",
+    "billingUsers": "Users",
+    "billingDomains": "Domains",
+    "billingRemoteExitNodes": "Remote Nodes",
    "billingNoLimitConfigured": "No limit configured",
    "billingEstimatedPeriod": "Estimated Billing Period",
    "billingIncludedUsage": "Included Usage",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Failed to get portal URL",
    "billingPortalError": "Portal Error",
    "billingDataUsageInfo": "You're charged for all data transferred through your secure tunnels when connected to the cloud. This includes both incoming and outgoing traffic across all your sites. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Data is not charged when using nodes.",
-    "billingOnlineTimeInfo": "You're charged based on how long your sites stay connected to the cloud. For example, 44,640 minutes equals one site running 24/7 for a full month. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Time is not charged when using nodes.",
-    "billingUsersInfo": "You're charged for each user in the organization. Billing is calculated daily based on the number of active user accounts in your org.",
-    "billingDomainInfo": "You're charged for each domain in the organization. Billing is calculated daily based on the number of active domain accounts in your org.",
-    "billingRemoteExitNodesInfo": "You're charged for each managed Node in the organization. Billing is calculated daily based on the number of active managed Nodes in your org.",
+    "billingSInfo": "How many sites you can use",
+    "billingUsersInfo": "How many users you can use",
+    "billingDomainInfo": "How many domains you can use",
+    "billingRemoteExitNodesInfo": "How many remote nodes you can use",
+    "billingLicenseKeys": "License Keys",
+    "billingLicenseKeysDescription": "Manage your license key subscriptions",
+    "billingLicenseSubscription": "License Subscription",
+    "billingInactive": "Inactive",
+    "billingLicenseItem": "License Item",
+    "billingQuantity": "Quantity",
+    "billingTotal": "total",
+    "billingModifyLicenses": "Modify License Subscription",
    "domainNotFound": "Domain Not Found",
    "domainNotFoundDescription": "This resource is disabled because the domain no longer exists our system. Please set a new domain for this resource.",
    "failed": "Failed",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Security key removed successfully",
    "securityKeyRemoveError": "Failed to remove security key",
    "securityKeyLoadError": "Failed to load security keys",
-    "securityKeyLogin": "Continue with security key",
+    "securityKeyLogin": "Use Security Key",
    "securityKeyAuthError": "Failed to authenticate with security key",
    "securityKeyRecommendation": "Register a backup security key on another device to ensure you always have access to your account.",
    "registering": "Registering...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Port number is required for non-HTTP resources",
    "resourcePortNotAllowed": "Port number should not be set for HTTP resources",
    "billingPricingCalculatorLink": "Pricing Calculator",
+    "billingYourPlan": "Your Plan",
+    "billingViewOrModifyPlan": "View or modify your current plan",
+    "billingViewPlanDetails": "View Plan Details",
+    "billingUsageAndLimits": "Usage and Limits",
+    "billingViewUsageAndLimits": "View your plan's limits and current usage",
+    "billingCurrentUsage": "Current Usage",
+    "billingMaximumLimits": "Maximum Limits",
+    "billingRemoteNodes": "Remote Nodes",
+    "billingUnlimited": "Unlimited",
+    "billingPaidLicenseKeys": "Paid License Keys",
+    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
+    "billingCurrentKeys": "Current Keys",
+    "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingConfirmUpgrade": "Confirm Upgrade",
+    "billingConfirmDowngrade": "Confirm Downgrade",
+    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
+    "billingConfirmDowngradeDescription": "You are about to downgrade your plan. Review the new limits and pricing below.",
+    "billingPlanIncludes": "Plan Includes",
+    "billingProcessing": "Processing...",
+    "billingConfirmUpgradeButton": "Confirm Upgrade",
+    "billingConfirmDowngradeButton": "Confirm Downgrade",
+    "billingLimitViolationWarning": "Usage Exceeds New Plan Limits",
+    "billingLimitViolationDescription": "Your current usage exceeds the limits of this plan. After downgrading, all actions will be disabled until you reduce usage within the new limits. Please review the features below that are currently over the limits. Limits in violation:",
+    "billingFeatureLossWarning": "Feature Availability Notice",
+    "billingFeatureLossDescription": "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available.",
+    "billingUsageExceedsLimit": "Current usage ({current}) exceeds limit ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "I agree to the",
        "termsOfService": "terms of service",
@@ -1500,8 +1572,8 @@
    "addressDescription": "The internal address of the client. Must fall within the organization's subnet.",
    "selectSites": "Select sites",
    "sitesDescription": "The client will have connectivity to the selected sites",
-    "clientInstallOlm": "Install Olm",
-    "clientInstallOlmDescription": "Get Olm running on your system",
+    "clientInstallOlm": "Install Machine Client",
+    "clientInstallOlmDescription": "Install the machine client for your system",
    "clientOlmCredentials": "Credentials",
    "clientOlmCredentialsDescription": "This is how the client will authenticate with the server",
    "olmEndpoint": "Endpoint",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Healthy Interval",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Time is in seconds",
+    "requireDeviceApproval": "Require Device Approvals",
+    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "No internal resources found.",
    "resourcesTableDestination": "Destination",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias Address",
+    "resourcesTableAliasAddressInfo": "This address is part of the organization's utility subnet. It's used to resolve alias records using internal DNS resolution.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "and are only accessible internally when connected with a client.",
    "resourcesTableNoTargets": "No targets",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Back to standard sign in",
    "orgAuthNoAccount": "Don't have an account?",
    "subscriptionRequiredToUse": "A subscription is required to use this feature.",
+    "mustUpgradeToUse": "You must upgrade your subscription to use this feature.",
+    "subscriptionRequiredTierToUse": "This feature requires <tierLink>{tier}</tierLink> or higher.",
+    "upgradeToTierToUse": "Upgrade to <tierLink>{tier}</tierLink> or higher to use this feature.",
+    "subscriptionTierTier1": "Home",
+    "subscriptionTierTier2": "Team",
+    "subscriptionTierTier3": "Business",
+    "subscriptionTierEnterprise": "Enterprise",
    "idpDisabled": "Identity providers are disabled.",
    "orgAuthPageDisabled": "Organization auth page is disabled.",
    "domainRestartedDescription": "Domain verification restarted successfully",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Get a license",
+        "description": "Choose a plan and tell us how you plan to use Pangolin.",
+        "chooseTier": "Choose your plan",
+        "viewPricingLink": "See pricing, features, and limits",
+        "tiers": {
+            "starter": {
+                "title": "Starter",
+                "description": "Enterprise features, 25 users, 25 sites, and community support."
+            },
+            "scale": {
+                "title": "Scale",
+                "description": "Enterprise features, 50 users, 50 sites, and priority support."
+            }
+        },
+        "personalUseOnly": "Personal use only (free license — no checkout)",
+        "buttons": {
+            "continueToCheckout": "Continue to Checkout"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Checkout error",
+                "description": "Could not start checkout. Please try again."
+            }
+        }
+    },
    "priority": "Priority",
    "priorityDescription": "Higher priority routes are evaluated first. Priority = 100 means automatic ordering (system decides). Use another number to enforce manual priority.",
    "instanceName": "Instance Name",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
    "licenseRequiredToUse": "An Enterprise license is required to use this feature.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature.",
    "certResolver": "Certificate Resolver",
    "certResolverDescription": "Select the certificate resolver to use for this resource.",
    "selectCertResolver": "Select Certificate Resolver",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Code must be 9 characters (e.g., A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Invalid or expired code",
    "deviceCodeVerifyFailed": "Failed to verify device code",
+    "deviceCodeValidating": "Validating device code...",
+    "deviceCodeVerifying": "Verifying device authorization...",
    "signedInAs": "Signed in as",
    "deviceCodeEnterPrompt": "Enter the code displayed on the device",
    "continue": "Continue",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Access to all organizations your account has access to",
    "deviceAuthorize": "Authorize {applicationName}",
    "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "View Devices",
    "viewDevicesDescription": "Manage your connected devices",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Not you? Use a different account.",
    "deviceLoginDeviceRequestingAccessToAccount": "A device is requesting access to this account.",
+    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
    "noData": "No Data",
    "machineClients": "Machine Clients",
    "install": "Install",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Service Temporarily Unavailable",
    "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
-    "createInternalResourceDialogDestinationRequired": "Destination is required"
+    "createInternalResourceDialogDestinationRequired": "Destination is required",
+    "available": "Available",
+    "archived": "Archived",
+    "noArchivedDevices": "No archived devices found",
+    "deviceArchived": "Device archived",
+    "deviceArchivedDescription": "The device has been successfully archived.",
+    "errorArchivingDevice": "Error archiving device",
+    "failedToArchiveDevice": "Failed to archive device",
+    "deviceQuestionArchive": "Are you sure you want to archive this device?",
+    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
+    "deviceArchiveConfirm": "Archive Device",
+    "archiveDevice": "Archive Device",
+    "archive": "Archive",
+    "deviceUnarchived": "Device unarchived",
+    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
+    "errorUnarchivingDevice": "Error unarchiving device",
+    "failedToUnarchiveDevice": "Failed to unarchive device",
+    "unarchive": "Unarchive",
+    "archiveClient": "Archive Client",
+    "archiveClientQuestion": "Are you sure you want to archive this client?",
+    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
+    "archiveClientConfirm": "Archive Client",
+    "blockClient": "Block Client",
+    "blockClientQuestion": "Are you sure you want to block this client?",
+    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
+    "blockClientConfirm": "Block Client",
+    "active": "Active",
+    "usernameOrEmail": "Username or Email",
+    "selectYourOrganization": "Select your organization",
+    "signInTo": "Log in in to",
+    "signInWithPassword": "Continue with Password",
+    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
+    "enterPassword": "Enter your password",
+    "enterMfaCode": "Enter the code from your authenticator app",
+    "securityKeyRequired": "Please use your security key to sign in.",
+    "needToUseAnotherAccount": "Need to use a different account?",
+    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
+    "termsOfService": "Terms of Service",
+    "privacyPolicy": "Privacy Policy",
+    "userNotFoundWithUsername": "No user found with that username.",
+    "verify": "Verify",
+    "signIn": "Sign In",
+    "forgotPassword": "Forgot password?",
+    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
+    "continueAnyway": "Continue anyway",
+    "dontShowAgain": "Don't show again",
+    "orgSignInNotice": "Did you know?",
+    "signupOrgNotice": "Trying to sign in?",
+    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
+    "signupOrgLink": "Sign in or sign up with your organization instead",
+    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
+    "logIn": "Log In",
+    "deviceInformation": "Device Information",
+    "deviceInformationDescription": "Information about the device and agent",
+    "deviceSecurity": "Device Security",
+    "deviceSecurityDescription": "Device security posture information",
+    "platform": "Platform",
+    "macosVersion": "macOS Version",
+    "windowsVersion": "Windows Version",
+    "iosVersion": "iOS Version",
+    "androidVersion": "Android Version",
+    "osVersion": "OS Version",
+    "kernelVersion": "Kernel Version",
+    "deviceModel": "Device Model",
+    "serialNumber": "Serial Number",
+    "hostname": "Hostname",
+    "firstSeen": "First Seen",
+    "lastSeen": "Last Seen",
+    "biometricsEnabled": "Biometrics Enabled",
+    "diskEncrypted": "Disk Encrypted",
+    "firewallEnabled": "Firewall Enabled",
+    "autoUpdatesEnabled": "Auto Updates Enabled",
+    "tpmAvailable": "TPM Available",
+    "windowsAntivirusEnabled": "Antivirus Enabled",
+    "macosSipEnabled": "System Integrity Protection (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Stealth Mode",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "View device information and settings",
+    "devicePendingApprovalDescription": "This device is waiting for approval",
+    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
+    "unblockClient": "Unblock Client",
+    "unblockClientDescription": "The device has been unblocked",
+    "unarchiveClient": "Unarchive Client",
+    "unarchiveClientDescription": "The device has been unarchived",
+    "block": "Block",
+    "unblock": "Unblock",
+    "deviceActions": "Device Actions",
+    "deviceActionsDescription": "Manage device status and access",
+    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
+    "connected": "Connected",
+    "disconnected": "Disconnected",
+    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
+    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
+    "approvalsEmptyStateStep1Title": "Go to Roles",
+    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
+    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
+    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
+    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
+    "approvalsEmptyStateButtonText": "Manage Roles"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -18,6 +18,8 @@
    "componentsMember": "Eres un miembro de {count, plural, =0 {ninguna organización} one {una organización} other {# organizaciones}}.",
    "componentsInvalidKey": "Se han detectado claves de licencia inválidas o caducadas. Siga los términos de licencia para seguir usando todas las características.",
    "dismiss": "Descartar",
+    "subscriptionViolationMessage": "Estás más allá de tus límites para tu plan actual. Corrija el problema eliminando sitios, usuarios u otros recursos para permanecer dentro de tu plan.",
+    "subscriptionViolationViewBilling": "Ver facturación",
    "componentsLicenseViolation": "Violación de la Licencia: Este servidor está usando sitios {usedSites} que exceden su límite de licencias de sitios {maxSites} . Siga los términos de licencia para seguir usando todas las características.",
    "componentsSupporterMessage": "¡Gracias por apoyar a Pangolin como {tier}!",
    "inviteErrorNotValid": "Lo sentimos, pero parece que la invitación a la que intentas acceder no ha sido aceptada o ya no es válida.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Conectar cualquier red",
    "sitesBannerDescription": "Un sitio es una conexión a una red remota que permite a Pangolin proporcionar acceso a recursos, públicos o privados, a usuarios en cualquier lugar. Instale el conector de red del sitio (Newt) en cualquier lugar donde pueda ejecutar un binario o contenedor para establecer la conexión.",
    "sitesBannerButtonText": "Instalar sitio",
+    "approvalsBannerTitle": "Aprobar o denegar el acceso al dispositivo",
+    "approvalsBannerDescription": "Revisar y aprobar o denegar las solicitudes de acceso al dispositivo de los usuarios. Cuando se requieren aprobaciones de dispositivos, los usuarios deben obtener la aprobación del administrador antes de que sus dispositivos puedan conectarse a los recursos de su organización.",
+    "approvalsBannerButtonText": "Saber más",
    "siteCreate": "Crear sitio",
    "siteCreateDescription2": "Siga los pasos siguientes para crear y conectar un nuevo sitio",
    "siteCreateDescription": "Crear un nuevo sitio para empezar a conectar recursos",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Buscar roles...",
    "accessRolesAdd": "Añadir rol",
    "accessRoleDelete": "Eliminar rol",
+    "accessApprovalsManage": "Administrar aprobaciones",
+    "accessApprovalsDescription": "Ver y administrar aprobaciones pendientes para el acceso a esta organización",
    "description": "Descripción",
    "inviteTitle": "Invitaciones abiertas",
    "inviteDescription": "Administrar invitaciones para que otros usuarios se unan a la organización",
@@ -450,6 +457,18 @@
    "selectDuration": "Seleccionar duración",
    "selectResource": "Seleccionar Recurso",
    "filterByResource": "Filtrar por Recurso",
+    "selectApprovalState": "Seleccionar Estado de Aprobación",
+    "filterByApprovalState": "Filtrar por estado de aprobación",
+    "approvalListEmpty": "No hay aprobaciones",
+    "approvalState": "Estado de aprobación",
+    "approve": "Aprobar",
+    "approved": "Aprobado",
+    "denied": "Denegado",
+    "deniedApproval": "Aprobación denegada",
+    "all": "Todo",
+    "deny": "Denegar",
+    "viewDetails": "Ver detalles",
+    "requestingNewDeviceApproval": "solicitó un nuevo dispositivo",
    "resetFilters": "Reiniciar filtros",
    "totalBlocked": "Solicitudes bloqueadas por Pangolin",
    "totalRequests": "Solicitudes totales",
@@ -729,16 +748,28 @@
    "countries": "Países",
    "accessRoleCreate": "Crear rol",
    "accessRoleCreateDescription": "Crear un nuevo rol para agrupar usuarios y administrar sus permisos.",
+    "accessRoleEdit": "Editar rol",
+    "accessRoleEditDescription": "Editar información de rol.",
    "accessRoleCreateSubmit": "Crear rol",
    "accessRoleCreated": "Rol creado",
    "accessRoleCreatedDescription": "El rol se ha creado correctamente.",
    "accessRoleErrorCreate": "Error al crear el rol",
    "accessRoleErrorCreateDescription": "Se ha producido un error al crear el rol.",
+    "accessRoleUpdateSubmit": "Actualizar rol",
+    "accessRoleUpdated": "Rol actualizado",
+    "accessRoleUpdatedDescription": "El rol se ha actualizado correctamente.",
+    "accessApprovalUpdated": "Aprobación procesada",
+    "accessApprovalApprovedDescription": "Establezca la decisión de Solicitud de Aprobación a aprobar.",
+    "accessApprovalDeniedDescription": "Define la decisión de Solicitud de Aprobación a denegar.",
+    "accessRoleErrorUpdate": "Error al actualizar el rol",
+    "accessRoleErrorUpdateDescription": "Se ha producido un error al actualizar el rol.",
+    "accessApprovalErrorUpdate": "Error al procesar la aprobación",
+    "accessApprovalErrorUpdateDescription": "Se ha producido un error al procesar la aprobación.",
    "accessRoleErrorNewRequired": "Se requiere un nuevo rol",
    "accessRoleErrorRemove": "Error al eliminar el rol",
    "accessRoleErrorRemoveDescription": "Ocurrió un error mientras se eliminaba el rol.",
    "accessRoleName": "Nombre del Rol",
-    "accessRoleQuestionRemove": "Estás a punto de eliminar el rol {name} . No puedes deshacer esta acción.",
+    "accessRoleQuestionRemove": "Estás a punto de eliminar el rol `{name}`. No puedes deshacer esta acción.",
    "accessRoleRemove": "Quitar rol",
    "accessRoleRemoveDescription": "Eliminar un rol de la organización",
    "accessRoleRemoveSubmit": "Quitar rol",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Póngase en contacto con su administrador",
    "passwordResetSmtpRequiredDescription": "Se requiere un código de restablecimiento de contraseña para restablecer su contraseña. Póngase en contacto con su administrador para obtener asistencia.",
    "passwordBack": "Volver a la contraseña",
-    "loginBack": "Volver a iniciar sesión",
+    "loginBack": "Volver a la página principal de acceso",
    "signup": "Regístrate",
    "loginStart": "Inicia sesión para empezar",
    "idpOidcTokenValidating": "Validando token OIDC",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Actualizar IDP Org",
    "actionCreateClient": "Crear cliente",
    "actionDeleteClient": "Eliminar cliente",
+    "actionArchiveClient": "Archivar cliente",
+    "actionUnarchiveClient": "Desarchivar cliente",
+    "actionBlockClient": "Bloquear cliente",
+    "actionUnblockClient": "Desbloquear cliente",
    "actionUpdateClient": "Actualizar cliente",
    "actionListClients": "Listar clientes",
    "actionGetClient": "Obtener cliente",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Buscar...",
    "create": "Crear",
    "orgs": "Organizaciones",
-    "loginError": "Se ha producido un error al iniciar sesión",
-    "loginRequiredForDevice": "Es necesario iniciar sesión para autenticar tu dispositivo.",
+    "loginError": "Ocurrió un error inesperado. Por favor, inténtelo de nuevo.",
+    "loginRequiredForDevice": "Es necesario iniciar sesión para tu dispositivo.",
    "passwordForgot": "¿Olvidaste tu contraseña?",
    "otpAuth": "Autenticación de dos factores",
    "otpAuthDescription": "Introduzca el código de su aplicación de autenticación o uno de sus códigos de copia de seguridad de un solo uso.",
    "otpAuthSubmit": "Enviar código",
    "idpContinue": "O continuar con",
-    "otpAuthBack": "Volver a iniciar sesión",
+    "otpAuthBack": "Volver a la contraseña",
    "navbar": "Menú de navegación",
    "navbarDescription": "Menú de navegación principal para la aplicación",
    "navbarDocsLink": "Documentación",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Resumen",
    "sidebarHome": "Inicio",
    "sidebarSites": "Sitios",
+    "sidebarApprovals": "Solicitudes de aprobación",
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Proveedores de identidad",
    "sidebarLicense": "Licencia",
    "sidebarClients": "Clientes",
-    "sidebarUserDevices": "Usuarios",
+    "sidebarUserDevices": "Dispositivos de usuario",
    "sidebarMachineClients": "Máquinas",
    "sidebarDomains": "Dominios",
    "sidebarGeneral": "Gestionar",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Se produjo un error al crear la cuenta de administrador del servidor.",
    "certificateStatus": "Estado del certificado",
    "loading": "Cargando",
+    "loadingAnalytics": "Cargando analíticas",
    "restart": "Reiniciar",
    "domains": "Dominios",
    "domainsDescription": "Crear y administrar dominios disponibles en la organización",
@@ -1304,6 +1341,7 @@
    "refreshError": "Error al actualizar datos",
    "verified": "Verificado",
    "pending": "Pendiente",
+    "pendingApproval": "Pendientes de aprobación",
    "sidebarBilling": "Facturación",
    "billing": "Facturación",
    "orgBillingDescription": "Administrar información de facturación y suscripciones",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Descripción general de los límites de uso",
    "billingMonitorUsage": "Monitorea tu uso comparado con los límites configurados. Si necesitas que aumenten los límites, contáctanos a soporte@pangolin.net.",
    "billingDataUsage": "Uso de datos",
-    "billingOnlineTime": "Tiempo en línea del sitio",
-    "billingUsers": "Usuarios activos",
-    "billingDomains": "Dominios activos",
-    "billingRemoteExitNodes": "Nodos autogestionados activos",
+    "billingSites": "Sitios",
+    "billingUsers": "Usuarios",
+    "billingDomains": "Dominios",
+    "billingRemoteExitNodes": "Nodos remotos",
    "billingNoLimitConfigured": "No se ha configurado ningún límite",
    "billingEstimatedPeriod": "Período de facturación estimado",
    "billingIncludedUsage": "Uso incluido",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Error al obtener la URL del portal",
    "billingPortalError": "Error del portal",
    "billingDataUsageInfo": "Se le cobran todos los datos transferidos a través de sus túneles seguros cuando se conectan a la nube. Esto incluye tanto tráfico entrante como saliente a través de todos sus sitios. Cuando alcance su límite, sus sitios se desconectarán hasta que actualice su plan o reduzca el uso. Los datos no se cargan cuando se usan nodos.",
-    "billingOnlineTimeInfo": "Se te cobrará en función del tiempo que tus sitios permanezcan conectados a la nube. Por ejemplo, 44.640 minutos equivale a un sitio que funciona 24/7 durante un mes completo. Cuando alcance su límite, sus sitios se desconectarán hasta que mejore su plan o reduzca el uso. No se cargará el tiempo al usar nodos.",
-    "billingUsersInfo": "Se le cobra por cada usuario en la organización. La facturación se calcula diariamente según el número de cuentas de usuario activas en su órgano.",
-    "billingDomainInfo": "Se le cobra por cada dominio en la organización. La facturación se calcula diariamente en función del número de cuentas de dominio activas en su órgano.",
-    "billingRemoteExitNodesInfo": "Se le cobra por cada nodo administrado en la organización. La facturación se calcula diariamente en función del número de nodos activos gestionados en su órgano.",
+    "billingSInfo": "Cuántos sitios puedes usar",
+    "billingUsersInfo": "Cuántos usuarios puedes usar",
+    "billingDomainInfo": "Cuántos dominios puedes usar",
+    "billingRemoteExitNodesInfo": "Cuántos nodos remotos puedes usar",
+    "billingLicenseKeys": "Claves de licencia",
+    "billingLicenseKeysDescription": "Administrar las suscripciones de su clave de licencia",
+    "billingLicenseSubscription": "Suscripción de licencia",
+    "billingInactive": "Inactivo",
+    "billingLicenseItem": "Licencia",
+    "billingQuantity": "Cantidad",
+    "billingTotal": "total",
+    "billingModifyLicenses": "Modificar suscripción de licencia",
    "domainNotFound": "Dominio no encontrado",
    "domainNotFoundDescription": "Este recurso está deshabilitado porque el dominio ya no existe en nuestro sistema. Por favor, establece un nuevo dominio para este recurso.",
    "failed": "Fallido",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Llave de seguridad eliminada exitosamente",
    "securityKeyRemoveError": "Error al eliminar la llave de seguridad",
    "securityKeyLoadError": "Error al cargar las llaves de seguridad",
-    "securityKeyLogin": "Continuar con clave de seguridad",
+    "securityKeyLogin": "Usar clave de seguridad",
    "securityKeyAuthError": "Error al autenticar con llave de seguridad",
    "securityKeyRecommendation": "Considere registrar otra llave de seguridad en un dispositivo diferente para asegurarse de no quedar bloqueado de su cuenta.",
    "registering": "Registrando...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Se requiere número de puerto para recursos no HTTP",
    "resourcePortNotAllowed": "El número de puerto no debe establecerse para recursos HTTP",
    "billingPricingCalculatorLink": "Calculadora de Precios",
+    "billingYourPlan": "Su plan",
+    "billingViewOrModifyPlan": "Ver o modificar su plan actual",
+    "billingViewPlanDetails": "Ver detalles del plan",
+    "billingUsageAndLimits": "Uso y límites",
+    "billingViewUsageAndLimits": "Ver los límites de tu plan y el uso actual",
+    "billingCurrentUsage": "Uso actual",
+    "billingMaximumLimits": "Límites máximos",
+    "billingRemoteNodes": "Nodos remotos",
+    "billingUnlimited": "Ilimitado",
+    "billingPaidLicenseKeys": "Claves de licencia pagadas",
+    "billingManageLicenseSubscription": "Administra tu suscripción para las claves de licencia autoalojadas pagadas",
+    "billingCurrentKeys": "Claves actuales",
+    "billingModifyCurrentPlan": "Modificar plan actual",
+    "billingConfirmUpgrade": "Confirmar actualización",
+    "billingConfirmDowngrade": "Confirmar descenso",
+    "billingConfirmUpgradeDescription": "Estás a punto de actualizar tu plan. Revisa los nuevos límites y precios a continuación.",
+    "billingConfirmDowngradeDescription": "Está a punto de rebajar su plan. Revise los nuevos límites y los precios a continuación.",
+    "billingPlanIncludes": "Plan Incluye",
+    "billingProcessing": "Procesando...",
+    "billingConfirmUpgradeButton": "Confirmar actualización",
+    "billingConfirmDowngradeButton": "Confirmar descenso",
+    "billingLimitViolationWarning": "El uso excede los nuevos límites del plan",
+    "billingLimitViolationDescription": "Su uso actual excede los límites de este plan. Después de degradar, todas las acciones se desactivarán hasta que reduzca el uso dentro de los nuevos límites. Por favor, revisa las siguientes características que están actualmente por encima de los límites. Límites en violación:",
+    "billingFeatureLossWarning": "Aviso de disponibilidad de funcionalidad",
+    "billingFeatureLossDescription": "Al degradar, las características no disponibles en el nuevo plan se desactivarán automáticamente. Algunas configuraciones y configuraciones pueden perderse. Por favor, revise la matriz de precios para entender qué características ya no estarán disponibles.",
+    "billingUsageExceedsLimit": "El uso actual ({current}) supera el límite ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Estoy de acuerdo con los",
        "termsOfService": "términos del servicio",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Intervalo Saludable",
    "timeoutSeconds": "Tiempo agotado (seg)",
    "timeIsInSeconds": "El tiempo está en segundos",
+    "requireDeviceApproval": "Requiere aprobaciones del dispositivo",
+    "requireDeviceApprovalDescription": "Los usuarios con este rol necesitan nuevos dispositivos aprobados por un administrador antes de poder conectarse y acceder a los recursos.",
    "retryAttempts": "Intentos de Reintento",
    "expectedResponseCodes": "Códigos de respuesta esperados",
    "expectedResponseCodesDescription": "Código de estado HTTP que indica un estado saludable. Si se deja en blanco, se considera saludable de 200 a 300.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "No se encontraron recursos internos.",
    "resourcesTableDestination": "Destino",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Dirección del alias",
+    "resourcesTableAliasAddressInfo": "Esta dirección es parte de la subred de utilidad de la organización. Se utiliza para resolver registros de alias usando resolución DNS interna.",
    "resourcesTableClients": "Clientes",
    "resourcesTableAndOnlyAccessibleInternally": "y solo son accesibles internamente cuando se conectan con un cliente.",
    "resourcesTableNoTargets": "Sin objetivos",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Volver a iniciar sesión estándar",
    "orgAuthNoAccount": "¿No tienes una cuenta?",
    "subscriptionRequiredToUse": "Se requiere una suscripción para utilizar esta función.",
+    "mustUpgradeToUse": "Debes actualizar tu suscripción para usar esta función.",
+    "subscriptionRequiredTierToUse": "Esta función requiere <tierLink>{tier}</tierLink> o superior.",
+    "upgradeToTierToUse": "Actualiza a <tierLink>{tier}</tierLink> o superior para usar esta función.",
+    "subscriptionTierTier1": "Inicio",
+    "subscriptionTierTier2": "Equipo",
+    "subscriptionTierTier3": "Negocio",
+    "subscriptionTierEnterprise": "Empresa",
    "idpDisabled": "Los proveedores de identidad están deshabilitados.",
    "orgAuthPageDisabled": "La página de autenticación de la organización está deshabilitada.",
    "domainRestartedDescription": "Verificación de dominio reiniciada con éxito",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Obtener una licencia",
+        "description": "Elige un plan y dinos cómo planeas usar Pangolin.",
+        "chooseTier": "Elige tu plan",
+        "viewPricingLink": "Ver precios, características y límites",
+        "tiers": {
+            "starter": {
+                "title": "Interruptor",
+                "description": "Características de la empresa, 25 usuarios, 25 sitios y soporte comunitario."
+            },
+            "scale": {
+                "title": "Escala",
+                "description": "Características de la empresa, 50 usuarios, 50 sitios y soporte prioritario."
+            }
+        },
+        "personalUseOnly": "Solo uso personal (licencia gratuita, sin pago)",
+        "buttons": {
+            "continueToCheckout": "Continuar con el pago"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Error de pago",
+                "description": "No se pudo iniciar el pago. Por favor, inténtelo de nuevo."
+            }
+        }
+    },
    "priority": "Prioridad",
    "priorityDescription": "Las rutas de prioridad más alta son evaluadas primero. Prioridad = 100 significa orden automático (decisiones del sistema). Utilice otro número para hacer cumplir la prioridad manual.",
    "instanceName": "Nombre de instancia",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
    "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
    "licenseRequiredToUse": "Se requiere una licencia Enterprise para utilizar esta función.",
+    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función.",
    "certResolver": "Resolver certificado",
    "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
    "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "El código debe tener 9 caracteres (por ejemplo, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Código no válido o caducado",
    "deviceCodeVerifyFailed": "Error al verificar el código del dispositivo",
+    "deviceCodeValidating": "Validando código de dispositivo...",
+    "deviceCodeVerifying": "Verificando autorización del dispositivo...",
    "signedInAs": "Conectado como",
    "deviceCodeEnterPrompt": "Introduzca el código mostrado en el dispositivo",
    "continue": "Continuar",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Acceso a todas las organizaciones a las que su cuenta tiene acceso",
    "deviceAuthorize": "Autorizar a {applicationName}",
    "deviceConnected": "¡Dispositivo conectado!",
-    "deviceAuthorizedMessage": "El dispositivo está autorizado para acceder a su cuenta.",
+    "deviceAuthorizedMessage": "El dispositivo está autorizado para acceder a su cuenta. Por favor, vuelva a la aplicación cliente.",
    "pangolinCloud": "Nube de Pangolin",
    "viewDevices": "Ver dispositivos",
    "viewDevicesDescription": "Administra tus dispositivos conectados",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "¿No tú? Utilice una cuenta diferente.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo está solicitando acceso a esta cuenta.",
+    "loginSelectAuthenticationMethod": "Seleccione un método de autenticación para continuar.",
    "noData": "Sin datos",
    "machineClients": "Clientes de la máquina",
    "install": "Instalar",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Servicio temporalmente no disponible",
    "maintenanceScreenMessage": "Actualmente estamos experimentando dificultades técnicas. Por favor regrese pronto.",
    "maintenanceScreenEstimatedCompletion": "Estimado completado:",
-    "createInternalResourceDialogDestinationRequired": "Se requiere destino"
+    "createInternalResourceDialogDestinationRequired": "Se requiere destino",
+    "available": "Disponible",
+    "archived": "Archivado",
+    "noArchivedDevices": "No se encontraron dispositivos archivados",
+    "deviceArchived": "Dispositivo archivado",
+    "deviceArchivedDescription": "El dispositivo se ha archivado correctamente.",
+    "errorArchivingDevice": "Error al archivar dispositivo",
+    "failedToArchiveDevice": "Error al archivar el dispositivo",
+    "deviceQuestionArchive": "¿Está seguro que desea archivar este dispositivo?",
+    "deviceMessageArchive": "El dispositivo será archivado y eliminado de su lista de dispositivos activos.",
+    "deviceArchiveConfirm": "Archivar dispositivo",
+    "archiveDevice": "Archivar dispositivo",
+    "archive": "Archivar",
+    "deviceUnarchived": "Dispositivo desarchivado",
+    "deviceUnarchivedDescription": "El dispositivo se ha desarchivado correctamente.",
+    "errorUnarchivingDevice": "Error al desarchivar dispositivo",
+    "failedToUnarchiveDevice": "Error al desarchivar el dispositivo",
+    "unarchive": "Desarchivar",
+    "archiveClient": "Archivar cliente",
+    "archiveClientQuestion": "¿Está seguro que desea archivar este cliente?",
+    "archiveClientMessage": "El cliente será archivado y eliminado de su lista de clientes activos.",
+    "archiveClientConfirm": "Archivar cliente",
+    "blockClient": "Bloquear cliente",
+    "blockClientQuestion": "¿Estás seguro de que quieres bloquear a este cliente?",
+    "blockClientMessage": "El dispositivo será forzado a desconectarse si está conectado actualmente. Puede desbloquear el dispositivo más tarde.",
+    "blockClientConfirm": "Bloquear cliente",
+    "active": "Activo",
+    "usernameOrEmail": "Nombre de usuario o email",
+    "selectYourOrganization": "Seleccione su organización",
+    "signInTo": "Iniciar sesión en",
+    "signInWithPassword": "Continuar con la contraseña",
+    "noAuthMethodsAvailable": "No hay métodos de autenticación disponibles para esta organización.",
+    "enterPassword": "Introduzca su contraseña",
+    "enterMfaCode": "Introduzca el código de su aplicación de autenticación",
+    "securityKeyRequired": "Utilice su clave de seguridad para iniciar sesión.",
+    "needToUseAnotherAccount": "¿Necesitas usar una cuenta diferente?",
+    "loginLegalDisclaimer": "Al hacer clic en los botones de abajo, reconoces que has leído, comprendido, y acepta los <termsOfService>Términos de Servicio</termsOfService> y <privacyPolicy>Política de Privacidad</privacyPolicy>.",
+    "termsOfService": "Términos de Servicio",
+    "privacyPolicy": "Política de privacidad",
+    "userNotFoundWithUsername": "Ningún usuario encontrado con ese nombre de usuario.",
+    "verify": "Verificar",
+    "signIn": "Iniciar sesión",
+    "forgotPassword": "¿Olvidaste la contraseña?",
+    "orgSignInTip": "Si has iniciado sesión antes, puedes introducir tu nombre de usuario o correo electrónico arriba para autenticarte con el proveedor de identidad de tu organización. ¡Es más fácil!",
+    "continueAnyway": "Continuar de todos modos",
+    "dontShowAgain": "No volver a mostrar",
+    "orgSignInNotice": "¿Sabía usted?",
+    "signupOrgNotice": "¿Intentando iniciar sesión?",
+    "signupOrgTip": "¿Estás intentando iniciar sesión a través del proveedor de identidad de tu organización?",
+    "signupOrgLink": "Inicia sesión o regístrate con tu organización",
+    "verifyEmailLogInWithDifferentAccount": "Usar una cuenta diferente",
+    "logIn": "Iniciar sesión",
+    "deviceInformation": "Información del dispositivo",
+    "deviceInformationDescription": "Información sobre el dispositivo y el agente",
+    "deviceSecurity": "Seguridad del dispositivo",
+    "deviceSecurityDescription": "Información de postura de seguridad del dispositivo",
+    "platform": "Plataforma",
+    "macosVersion": "versión macOS",
+    "windowsVersion": "Versión de Windows",
+    "iosVersion": "Versión de iOS",
+    "androidVersion": "Versión de Android",
+    "osVersion": "Versión del SO",
+    "kernelVersion": "Versión de Kernel",
+    "deviceModel": "Modelo de dispositivo",
+    "serialNumber": "Número Serial",
+    "hostname": "Hostname",
+    "firstSeen": "Primer detectado",
+    "lastSeen": "Último Visto",
+    "biometricsEnabled": "Biometría habilitada",
+    "diskEncrypted": "Disco cifrado",
+    "firewallEnabled": "Cortafuegos activado",
+    "autoUpdatesEnabled": "Actualizaciones automáticas habilitadas",
+    "tpmAvailable": "TPM disponible",
+    "windowsAntivirusEnabled": "Antivirus activado",
+    "macosSipEnabled": "Protección de integridad del sistema (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Sigilo Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Ver información y ajustes del dispositivo",
+    "devicePendingApprovalDescription": "Este dispositivo está esperando su aprobación",
+    "deviceBlockedDescription": "Este dispositivo está actualmente bloqueado. No podrá conectarse a ningún recurso a menos que sea desbloqueado.",
+    "unblockClient": "Desbloquear cliente",
+    "unblockClientDescription": "El dispositivo ha sido desbloqueado",
+    "unarchiveClient": "Desarchivar cliente",
+    "unarchiveClientDescription": "El dispositivo ha sido desarchivado",
+    "block": "Bloque",
+    "unblock": "Desbloquear",
+    "deviceActions": "Acciones del dispositivo",
+    "deviceActionsDescription": "Administrar estado y acceso al dispositivo",
+    "devicePendingApprovalBannerDescription": "Este dispositivo está pendiente de aprobación. No podrá conectarse a recursos hasta que sea aprobado.",
+    "connected": "Conectado",
+    "disconnected": "Desconectado",
+    "approvalsEmptyStateTitle": "Aprobaciones de dispositivo no habilitadas",
+    "approvalsEmptyStateDescription": "Habilita las aprobaciones de dispositivos para que los roles requieran aprobación del administrador antes de que los usuarios puedan conectar nuevos dispositivos.",
+    "approvalsEmptyStateStep1Title": "Ir a roles",
+    "approvalsEmptyStateStep1Description": "Navega a la configuración de roles de tu organización para configurar las aprobaciones de dispositivos.",
+    "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
+    "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
+    "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
+    "approvalsEmptyStateButtonText": "Administrar roles"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -18,6 +18,8 @@
    "componentsMember": "Vous {count, plural, =0 {n'} other {} }êtes membre {count, plural, =0 {d'aucune organisation} one {d'une organisation} other {de # organisations}}.",
    "componentsInvalidKey": "Clés de licence invalides ou expirées détectées. Veuillez respecter les conditions de licence pour continuer à utiliser toutes les fonctionnalités.",
    "dismiss": "Rejeter",
+    "subscriptionViolationMessage": "Vous dépassez vos limites pour votre forfait actuel. Corrigez le problème en supprimant des sites, des utilisateurs ou d'autres ressources pour rester dans votre forfait.",
+    "subscriptionViolationViewBilling": "Voir la facturation",
    "componentsLicenseViolation": "Violation de licence : ce serveur utilise {usedSites} nœuds, ce qui dépasse la limite autorisée de {maxSites} nœuds. Respectez les conditions de licence pour continuer à utiliser toutes les fonctionnalités.",
    "componentsSupporterMessage": "Merci de soutenir Pangolin en tant que {tier}!",
    "inviteErrorNotValid": "Nous sommes désolés, mais il semble que l'invitation à laquelle vous essayez d'accéder n'ait pas été acceptée ou ne soit plus valide.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Se connecter à n'importe quel réseau",
    "sitesBannerDescription": "Un site est une connexion à un réseau distant qui permet à Pangolin de fournir aux utilisateurs l'accès à des ressources, publiques ou privées, n'importe où. Installez le connecteur de réseau du site (Newt) partout où vous pouvez exécuter un binaire ou un conteneur pour établir la connexion.",
    "sitesBannerButtonText": "Installer le site",
+    "approvalsBannerTitle": "Approuver ou refuser l'accès à l'appareil",
+    "approvalsBannerDescription": "Examinez et approuvez ou refusez les demandes d'accès à l'appareil des utilisateurs. Lorsque les autorisations de l'appareil sont requises, les utilisateurs doivent obtenir l'approbation de l'administrateur avant que leurs appareils puissent se connecter aux ressources de votre organisation.",
+    "approvalsBannerButtonText": "En savoir plus",
    "siteCreate": "Créer un nœud",
    "siteCreateDescription2": "Suivez les étapes ci-dessous pour créer et connecter un nouveau nœud",
    "siteCreateDescription": "Créer un nouveau site pour commencer à connecter des ressources",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Chercher des rôles...",
    "accessRolesAdd": "Ajouter un rôle",
    "accessRoleDelete": "Supprimer le rôle",
+    "accessApprovalsManage": "Gérer les approbations",
+    "accessApprovalsDescription": "Voir et gérer les approbations en attente pour accéder à cette organisation",
    "description": "Libellé",
    "inviteTitle": "Invitations actives",
    "inviteDescription": "Gérer les invitations des autres utilisateurs à rejoindre l'organisation",
@@ -450,6 +457,18 @@
    "selectDuration": "Sélectionner la durée",
    "selectResource": "Sélectionner une ressource",
    "filterByResource": "Filtrer par ressource",
+    "selectApprovalState": "Sélectionnez l'État d'Approbation",
+    "filterByApprovalState": "Filtrer par État d'Approbation",
+    "approvalListEmpty": "Aucune approbation",
+    "approvalState": "État d'approbation",
+    "approve": "Approuver",
+    "approved": "Approuvé",
+    "denied": "Refusé",
+    "deniedApproval": "Approbation refusée",
+    "all": "Tous",
+    "deny": "Refuser",
+    "viewDetails": "Voir les détails",
+    "requestingNewDeviceApproval": "a demandé un nouvel appareil",
    "resetFilters": "Réinitialiser les filtres",
    "totalBlocked": "Demandes bloquées par le Pangolin",
    "totalRequests": "Total des demandes",
@@ -729,16 +748,28 @@
    "countries": "Pays",
    "accessRoleCreate": "Créer un rôle",
    "accessRoleCreateDescription": "Créer un nouveau rôle pour regrouper les utilisateurs et gérer leurs permissions.",
+    "accessRoleEdit": "Modifier le rôle",
+    "accessRoleEditDescription": "Modifier les informations du rôle.",
    "accessRoleCreateSubmit": "Créer un rôle",
    "accessRoleCreated": "Rôle créé",
    "accessRoleCreatedDescription": "Le rôle a été créé avec succès.",
    "accessRoleErrorCreate": "Échec de la création du rôle",
    "accessRoleErrorCreateDescription": "Une erreur s'est produite lors de la création du rôle.",
+    "accessRoleUpdateSubmit": "Mettre à jour un rôle",
+    "accessRoleUpdated": "Rôle mis à jour",
+    "accessRoleUpdatedDescription": "Le rôle a été mis à jour avec succès.",
+    "accessApprovalUpdated": "Approbation traitée",
+    "accessApprovalApprovedDescription": "Définir la décision de la demande d'approbation à approuver.",
+    "accessApprovalDeniedDescription": "Définir la décision de la demande d'approbation comme refusée.",
+    "accessRoleErrorUpdate": "Impossible de mettre à jour le rôle",
+    "accessRoleErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour du rôle.",
+    "accessApprovalErrorUpdate": "Impossible de traiter l'approbation",
+    "accessApprovalErrorUpdateDescription": "Une erreur s'est produite lors du traitement de l'approbation.",
    "accessRoleErrorNewRequired": "Un nouveau rôle est requis",
    "accessRoleErrorRemove": "Échec de la suppression du rôle",
    "accessRoleErrorRemoveDescription": "Une erreur s'est produite lors de la suppression du rôle.",
    "accessRoleName": "Nom du rôle",
-    "accessRoleQuestionRemove": "Vous êtes sur le point de supprimer le rôle {name}. Cette action est irréversible.",
+    "accessRoleQuestionRemove": "Vous êtes sur le point de supprimer le rôle `{name}`. Vous ne pouvez pas annuler cette action.",
    "accessRoleRemove": "Supprimer le rôle",
    "accessRoleRemoveDescription": "Retirer un rôle de l'organisation",
    "accessRoleRemoveSubmit": "Supprimer le rôle",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Veuillez contacter votre administrateur",
    "passwordResetSmtpRequiredDescription": "Un code de réinitialisation du mot de passe est requis pour réinitialiser votre mot de passe. Veuillez contacter votre administrateur pour obtenir de l'aide.",
    "passwordBack": "Retour au mot de passe",
-    "loginBack": "Retour à la connexion",
+    "loginBack": "Revenir à la page de connexion principale",
    "signup": "S'inscrire",
    "loginStart": "Connectez-vous pour commencer",
    "idpOidcTokenValidating": "Validation du jeton OIDC",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Mettre à jour une organisation IDP",
    "actionCreateClient": "Créer un client",
    "actionDeleteClient": "Supprimer le client",
+    "actionArchiveClient": "Archiver le client",
+    "actionUnarchiveClient": "Désarchiver le client",
+    "actionBlockClient": "Bloquer le client",
+    "actionUnblockClient": "Débloquer le client",
    "actionUpdateClient": "Mettre à jour le client",
    "actionListClients": "Liste des clients",
    "actionGetClient": "Obtenir le client",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Rechercher...",
    "create": "Créer",
    "orgs": "Organisations",
-    "loginError": "Une erreur s'est produite lors de la connexion",
-    "loginRequiredForDevice": "La connexion est requise pour authentifier votre appareil.",
+    "loginError": "Une erreur inattendue s'est produite. Veuillez réessayer.",
+    "loginRequiredForDevice": "La connexion est requise pour votre appareil.",
    "passwordForgot": "Mot de passe oublié ?",
    "otpAuth": "Authentification à deux facteurs",
    "otpAuthDescription": "Entrez le code de votre application d'authentification ou l'un de vos codes de secours à usage unique.",
    "otpAuthSubmit": "Soumettre le code",
    "idpContinue": "Ou continuer avec",
-    "otpAuthBack": "Retour à la connexion",
+    "otpAuthBack": "Retour au mot de passe",
    "navbar": "Menu de navigation",
    "navbarDescription": "Menu de navigation principal de l'application",
    "navbarDocsLink": "Documentation",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Aperçu",
    "sidebarHome": "Domicile",
    "sidebarSites": "Nœuds",
+    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
    "sidebarProxyResources": "Publique",
    "sidebarClientResources": "Privé",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Fournisseurs d'identité",
    "sidebarLicense": "Licence",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Utilisateurs",
+    "sidebarUserDevices": "Périphériques utilisateur",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domaines",
    "sidebarGeneral": "Gérer",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Une erreur s'est produite lors de la création du compte administrateur du serveur.",
    "certificateStatus": "Statut du certificat",
    "loading": "Chargement",
+    "loadingAnalytics": "Chargement de l'analyse",
    "restart": "Redémarrer",
    "domains": "Domaines",
    "domainsDescription": "Créer et gérer les domaines disponibles dans l'organisation",
@@ -1304,6 +1341,7 @@
    "refreshError": "Échec de l'actualisation des données",
    "verified": "Vérifié",
    "pending": "En attente",
+    "pendingApproval": "En attente d'approbation",
    "sidebarBilling": "Facturation",
    "billing": "Facturation",
    "orgBillingDescription": "Gérer les informations de facturation et les abonnements",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Vue d'ensemble des limites d'utilisation",
    "billingMonitorUsage": "Surveillez votre consommation par rapport aux limites configurées. Si vous avez besoin d'une augmentation des limites, veuillez nous contacter à support@pangolin.net.",
    "billingDataUsage": "Utilisation des données",
-    "billingOnlineTime": "Temps en ligne du site",
-    "billingUsers": "Utilisateurs actifs",
-    "billingDomains": "Domaines actifs",
-    "billingRemoteExitNodes": "Nœuds auto-hébergés actifs",
+    "billingSites": "Nœuds",
+    "billingUsers": "Utilisateurs",
+    "billingDomains": "Domaines",
+    "billingRemoteExitNodes": "Nœuds distants",
    "billingNoLimitConfigured": "Aucune limite configurée",
    "billingEstimatedPeriod": "Période de facturation estimée",
    "billingIncludedUsage": "Utilisation incluse",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Échec pour obtenir l'URL du portail",
    "billingPortalError": "Erreur du portail",
    "billingDataUsageInfo": "Vous êtes facturé pour toutes les données transférées via vos tunnels sécurisés lorsque vous êtes connecté au cloud. Cela inclut le trafic entrant et sortant sur tous vos sites. Lorsque vous atteignez votre limite, vos sites se déconnecteront jusqu'à ce que vous mettiez à niveau votre plan ou réduisiez l'utilisation. Les données ne sont pas facturées lors de l'utilisation de nœuds.",
-    "billingOnlineTimeInfo": "Vous êtes facturé en fonction de la durée de connexion de vos sites au cloud. Par exemple, 44 640 minutes équivaut à un site fonctionnant 24/7 pendant un mois complet. Lorsque vous atteignez votre limite, vos sites se déconnecteront jusqu'à ce que vous mettiez à niveau votre forfait ou réduisiez votre consommation. Le temps n'est pas facturé lors de l'utilisation de nœuds.",
-    "billingUsersInfo": "Vous êtes facturé pour chaque utilisateur de l'organisation. La facturation est calculée quotidiennement en fonction du nombre de comptes d'utilisateurs actifs dans votre organisation.",
-    "billingDomainInfo": "Vous êtes facturé pour chaque domaine de l'organisation. La facturation est calculée quotidiennement en fonction du nombre de comptes de domaine actifs dans votre organisation.",
-    "billingRemoteExitNodesInfo": "Vous êtes facturé pour chaque noeud géré dans l'organisation. La facturation est calculée quotidiennement en fonction du nombre de nœuds gérés actifs dans votre organisation.",
+    "billingSInfo": "Combien de sites vous pouvez utiliser",
+    "billingUsersInfo": "Combien d'utilisateurs vous pouvez utiliser",
+    "billingDomainInfo": "Combien de domaines vous pouvez utiliser",
+    "billingRemoteExitNodesInfo": "Combien de nœuds distants vous pouvez utiliser",
+    "billingLicenseKeys": "Clés de licence",
+    "billingLicenseKeysDescription": "Gérer vos abonnements à la clé de licence",
+    "billingLicenseSubscription": "Abonnement à la licence",
+    "billingInactive": "Inactif",
+    "billingLicenseItem": "Article de la licence",
+    "billingQuantity": "Quantité",
+    "billingTotal": "total",
+    "billingModifyLicenses": "Modifier l'abonnement à la licence",
    "domainNotFound": "Domaine introuvable",
    "domainNotFoundDescription": "Cette ressource est désactivée car le domaine n'existe plus dans notre système. Veuillez définir un nouveau domaine pour cette ressource.",
    "failed": "Échec",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Clé de sécurité supprimée avec succès",
    "securityKeyRemoveError": "Échec de la suppression de la clé de sécurité",
    "securityKeyLoadError": "Échec du chargement des clés de sécurité",
-    "securityKeyLogin": "Continuer avec une clé de sécurité",
+    "securityKeyLogin": "Utiliser la clé de sécurité",
    "securityKeyAuthError": "Échec de l'authentification avec la clé de sécurité",
    "securityKeyRecommendation": "Envisagez d'enregistrer une autre clé de sécurité sur un appareil différent pour vous assurer de ne pas être bloqué de votre compte.",
    "registering": "Enregistrement...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Le numéro de port est requis pour les ressources non-HTTP",
    "resourcePortNotAllowed": "Le numéro de port ne doit pas être défini pour les ressources HTTP",
    "billingPricingCalculatorLink": "Calculateur de prix",
+    "billingYourPlan": "Votre plan",
+    "billingViewOrModifyPlan": "Voir ou modifier votre forfait actuel",
+    "billingViewPlanDetails": "Voir les détails du plan",
+    "billingUsageAndLimits": "Utilisation et limites",
+    "billingViewUsageAndLimits": "Voir les limites de votre plan et l'utilisation actuelle",
+    "billingCurrentUsage": "Utilisation actuelle",
+    "billingMaximumLimits": "Limites maximum",
+    "billingRemoteNodes": "Nœuds distants",
+    "billingUnlimited": "Illimité",
+    "billingPaidLicenseKeys": "Clés de licence payantes",
+    "billingManageLicenseSubscription": "Gérer votre abonnement pour les clés de licence auto-hébergées payantes",
+    "billingCurrentKeys": "Clés actuelles",
+    "billingModifyCurrentPlan": "Modifier le plan actuel",
+    "billingConfirmUpgrade": "Confirmer la mise à niveau",
+    "billingConfirmDowngrade": "Confirmer la rétrogradation",
+    "billingConfirmUpgradeDescription": "Vous êtes sur le point de mettre à niveau votre offre. Examinez les nouvelles limites et les nouveaux prix ci-dessous.",
+    "billingConfirmDowngradeDescription": "Vous êtes sur le point de rétrograder votre forfait. Examinez les nouvelles limites et les prix ci-dessous.",
+    "billingPlanIncludes": "Le forfait comprend",
+    "billingProcessing": "Traitement en cours...",
+    "billingConfirmUpgradeButton": "Confirmer la mise à niveau",
+    "billingConfirmDowngradeButton": "Confirmer la rétrogradation",
+    "billingLimitViolationWarning": "Utilisation dépassée les nouvelles limites de plan",
+    "billingLimitViolationDescription": "Votre utilisation actuelle dépasse les limites de ce plan. Après rétrogradation, toutes les actions seront désactivées jusqu'à ce que vous réduisiez l'utilisation dans les nouvelles limites. Veuillez consulter les fonctionnalités ci-dessous qui dépassent actuellement les limites. Limites en violation :",
+    "billingFeatureLossWarning": "Avis de disponibilité des fonctionnalités",
+    "billingFeatureLossDescription": "En rétrogradant, les fonctionnalités non disponibles dans le nouveau plan seront automatiquement désactivées. Certains paramètres et configurations peuvent être perdus. Veuillez consulter la matrice de prix pour comprendre quelles fonctionnalités ne seront plus disponibles.",
+    "billingUsageExceedsLimit": "L'utilisation actuelle ({current}) dépasse la limite ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Je suis d'accord avec",
        "termsOfService": "les conditions d'utilisation",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Intervalle sain",
    "timeoutSeconds": "Délai d'attente (sec)",
    "timeIsInSeconds": "Le temps est exprimé en secondes",
+    "requireDeviceApproval": "Exiger les autorisations de l'appareil",
+    "requireDeviceApprovalDescription": "Les utilisateurs ayant ce rôle ont besoin de nouveaux périphériques approuvés par un administrateur avant de pouvoir se connecter et accéder aux ressources.",
    "retryAttempts": "Tentatives de réessai",
    "expectedResponseCodes": "Codes de réponse attendus",
    "expectedResponseCodesDescription": "Code de statut HTTP indiquant un état de santé satisfaisant. Si non renseigné, 200-300 est considéré comme satisfaisant.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Aucune ressource interne trouvée.",
    "resourcesTableDestination": "Destination",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adresse de l'alias",
+    "resourcesTableAliasAddressInfo": "Cette adresse fait partie du sous-réseau utilitaire de l'organisation. Elle est utilisée pour résoudre les enregistrements d'alias en utilisant une résolution DNS interne.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "et sont uniquement accessibles en interne lorsqu'elles sont connectées avec un client.",
    "resourcesTableNoTargets": "Aucune cible",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
    "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
    "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
-    "orgAuthSignInToOrg": "Connectez-vous à une organisation",
+    "orgAuthSignInToOrg": "Se connecter à une organisation",
    "orgAuthSelectOrgTitle": "Connexion à l'organisation",
    "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
    "orgAuthOrgIdPlaceholder": "votre-organisation",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Retour à la connexion standard",
    "orgAuthNoAccount": "Vous n'avez pas de compte ?",
    "subscriptionRequiredToUse": "Un abonnement est requis pour utiliser cette fonctionnalité.",
+    "mustUpgradeToUse": "Vous devez mettre à jour votre abonnement pour utiliser cette fonctionnalité.",
+    "subscriptionRequiredTierToUse": "Cette fonctionnalité nécessite <tierLink>{tier}</tierLink> ou supérieur.",
+    "upgradeToTierToUse": "Passez à <tierLink>{tier}</tierLink> ou plus pour utiliser cette fonctionnalité.",
+    "subscriptionTierTier1": "Domicile",
+    "subscriptionTierTier2": "Equipe",
+    "subscriptionTierTier3": "Entreprise",
+    "subscriptionTierEnterprise": "Entreprise",
    "idpDisabled": "Les fournisseurs d'identité sont désactivés.",
    "orgAuthPageDisabled": "La page d'authentification de l'organisation est désactivée.",
    "domainRestartedDescription": "La vérification du domaine a été redémarrée avec succès",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Obtenir une licence",
+        "description": "Choisissez un plan et dites-nous comment vous comptez utiliser Pangolin.",
+        "chooseTier": "Choisissez votre forfait",
+        "viewPricingLink": "Voir les prix, les fonctionnalités et les limites",
+        "tiers": {
+            "starter": {
+                "title": "Démarrage",
+                "description": "Fonctionnalités d'entreprise, 25 utilisateurs, 25 sites et un support communautaire."
+            },
+            "scale": {
+                "title": "Échelle",
+                "description": "Fonctionnalités d'entreprise, 50 utilisateurs, 50 sites et une prise en charge prioritaire."
+            }
+        },
+        "personalUseOnly": "Utilisation personnelle uniquement (licence gratuite — sans checkout)",
+        "buttons": {
+            "continueToCheckout": "Continuer vers le paiement"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Erreur de paiement",
+                "description": "Impossible de commencer la commande. Veuillez réessayer."
+            }
+        }
+    },
    "priority": "Priorité",
    "priorityDescription": "Les routes de haute priorité sont évaluées en premier. La priorité = 100 signifie l'ordre automatique (décision du système). Utilisez un autre nombre pour imposer la priorité manuelle.",
    "instanceName": "Nom de l'instance",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
    "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
    "licenseRequiredToUse": "Une licence Entreprise est nécessaire pour utiliser cette fonctionnalité.",
+    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité.",
    "certResolver": "Résolveur de certificat",
    "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
    "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Le code doit contenir 9 caractères (par exemple, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Code invalide ou expiré",
    "deviceCodeVerifyFailed": "Impossible de vérifier le code de l'appareil",
+    "deviceCodeValidating": "Validation du code de l'appareil...",
+    "deviceCodeVerifying": "Vérification de l'autorisation de l'appareil...",
    "signedInAs": "Connecté en tant que",
    "deviceCodeEnterPrompt": "Entrez le code affiché sur l'appareil",
    "continue": "Continuer",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Accès à toutes les organisations auxquelles votre compte a accès",
    "deviceAuthorize": "Autoriser {applicationName}",
    "deviceConnected": "Appareil connecté !",
-    "deviceAuthorizedMessage": "L'appareil est autorisé à accéder à votre compte.",
+    "deviceAuthorizedMessage": "L'appareil est autorisé à accéder à votre compte. Veuillez retourner à l'application client.",
    "pangolinCloud": "Nuage de Pangolin",
    "viewDevices": "Voir les appareils",
    "viewDevicesDescription": "Gérer vos appareils connectés",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifiant",
    "deviceLoginUseDifferentAccount": "Pas vous ? Utilisez un autre compte.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un appareil demande l'accès à ce compte.",
+    "loginSelectAuthenticationMethod": "Sélectionnez une méthode d'authentification pour continuer.",
    "noData": "Aucune donnée",
    "machineClients": "Clients Machines",
    "install": "Installer",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Service temporairement indisponible",
    "maintenanceScreenMessage": "Nous rencontrons actuellement des difficultés techniques. Veuillez vérifier ultérieurement.",
    "maintenanceScreenEstimatedCompletion": "Achèvement estimé :",
-    "createInternalResourceDialogDestinationRequired": "La destination est requise"
+    "createInternalResourceDialogDestinationRequired": "La destination est requise",
+    "available": "Disponible",
+    "archived": "Archivé",
+    "noArchivedDevices": "Aucun périphérique archivé trouvé",
+    "deviceArchived": "Appareil archivé",
+    "deviceArchivedDescription": "L'appareil a été archivé avec succès.",
+    "errorArchivingDevice": "Erreur lors de l'archivage du périphérique",
+    "failedToArchiveDevice": "Impossible d'archiver l'appareil",
+    "deviceQuestionArchive": "Êtes-vous sûr de vouloir archiver cet appareil ?",
+    "deviceMessageArchive": "Le périphérique sera archivé et retiré de la liste des périphériques actifs.",
+    "deviceArchiveConfirm": "Dispositif d'archivage",
+    "archiveDevice": "Dispositif d'archivage",
+    "archive": "Archive",
+    "deviceUnarchived": "Appareil désarchivé",
+    "deviceUnarchivedDescription": "L'appareil a été désarchivé avec succès.",
+    "errorUnarchivingDevice": "Erreur lors de la désarchivage du périphérique",
+    "failedToUnarchiveDevice": "Échec de la désarchivage de l'appareil",
+    "unarchive": "Désarchiver",
+    "archiveClient": "Archiver le client",
+    "archiveClientQuestion": "Êtes-vous sûr de vouloir archiver ce client?",
+    "archiveClientMessage": "Le client sera archivé et retiré de votre liste de clients actifs.",
+    "archiveClientConfirm": "Archiver le client",
+    "blockClient": "Bloquer le client",
+    "blockClientQuestion": "Êtes-vous sûr de vouloir bloquer ce client?",
+    "blockClientMessage": "L'appareil sera forcé de se déconnecter si vous êtes actuellement connecté. Vous pourrez débloquer l'appareil plus tard.",
+    "blockClientConfirm": "Bloquer le client",
+    "active": "Actif",
+    "usernameOrEmail": "Nom d'utilisateur ou email",
+    "selectYourOrganization": "Sélectionnez votre organisation",
+    "signInTo": "Se connecter à",
+    "signInWithPassword": "Continuer avec le mot de passe",
+    "noAuthMethodsAvailable": "Aucune méthode d'authentification disponible pour cette organisation.",
+    "enterPassword": "Entrez votre mot de passe",
+    "enterMfaCode": "Entrez le code de votre application d'authentification",
+    "securityKeyRequired": "Veuillez utiliser votre clé de sécurité pour vous connecter.",
+    "needToUseAnotherAccount": "Besoin d'un autre compte ?",
+    "loginLegalDisclaimer": "En cliquant sur les boutons ci-dessous, vous reconnaissez avoir lu, compris et accepté les <termsOfService>Conditions d'utilisation</termsOfService> et la <privacyPolicy>Politique de confidentialité</privacyPolicy>.",
+    "termsOfService": "Conditions d'utilisation",
+    "privacyPolicy": "Politique de confidentialité",
+    "userNotFoundWithUsername": "Aucun utilisateur trouvé avec ce nom d'utilisateur.",
+    "verify": "Vérifier",
+    "signIn": "Se connecter",
+    "forgotPassword": "Mot de passe oublié ?",
+    "orgSignInTip": "Si vous vous êtes déjà connecté, vous pouvez entrer votre nom d'utilisateur ou votre e-mail ci-dessus pour vous authentifier auprès du fournisseur d'identité de votre organisation. C'est plus facile !",
+    "continueAnyway": "Continuer quand même",
+    "dontShowAgain": "Ne plus afficher",
+    "orgSignInNotice": "Le saviez-vous ?",
+    "signupOrgNotice": "Vous essayez de vous connecter ?",
+    "signupOrgTip": "Essayez-vous de vous connecter par l'intermédiaire du fournisseur d'identité de votre organisme?",
+    "signupOrgLink": "Connectez-vous ou inscrivez-vous avec votre organisation à la place",
+    "verifyEmailLogInWithDifferentAccount": "Utiliser un compte différent",
+    "logIn": "Se connecter",
+    "deviceInformation": "Informations sur l'appareil",
+    "deviceInformationDescription": "Informations sur l'appareil et l'agent",
+    "deviceSecurity": "Sécurité de l'appareil",
+    "deviceSecurityDescription": "Informations sur la posture de sécurité de l'appareil",
+    "platform": "Plateforme",
+    "macosVersion": "Version macOS",
+    "windowsVersion": "Version de Windows",
+    "iosVersion": "Version iOS",
+    "androidVersion": "Version d'Android",
+    "osVersion": "Version du système d'exploitation",
+    "kernelVersion": "Version du noyau",
+    "deviceModel": "Modèle de l'appareil",
+    "serialNumber": "Numéro de série",
+    "hostname": "Hostname",
+    "firstSeen": "Première vue",
+    "lastSeen": "Dernière vue",
+    "biometricsEnabled": "biométrique activée",
+    "diskEncrypted": "Disque chiffré",
+    "firewallEnabled": "Pare-feu activé",
+    "autoUpdatesEnabled": "Mises à jour automatiques activées",
+    "tpmAvailable": "TPM disponible",
+    "windowsAntivirusEnabled": "Antivirus activé",
+    "macosSipEnabled": "Protection contre l'intégrité du système (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Mode furtif du pare-feu",
+    "linuxAppArmorEnabled": "Armure d'application",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Afficher les informations et les paramètres de l'appareil",
+    "devicePendingApprovalDescription": "Cet appareil est en attente d'approbation",
+    "deviceBlockedDescription": "Cet appareil est actuellement bloqué. Il ne pourra se connecter à aucune ressource à moins d'être débloqué.",
+    "unblockClient": "Débloquer le client",
+    "unblockClientDescription": "L'appareil a été débloqué",
+    "unarchiveClient": "Désarchiver le client",
+    "unarchiveClientDescription": "L'appareil a été désarchivé",
+    "block": "Bloquer",
+    "unblock": "Débloquer",
+    "deviceActions": "Actions de l'appareil",
+    "deviceActionsDescription": "Gérer le statut et l'accès de l'appareil",
+    "devicePendingApprovalBannerDescription": "Cet appareil est en attente d'approbation. Il ne sera pas en mesure de se connecter aux ressources jusqu'à ce qu'il soit approuvé.",
+    "connected": "Connecté",
+    "disconnected": "Déconnecté",
+    "approvalsEmptyStateTitle": "Approbations de l'appareil non activées",
+    "approvalsEmptyStateDescription": "Activer les autorisations de l'appareil pour les rôles qui nécessitent l'approbation de l'administrateur avant que les utilisateurs puissent connecter de nouveaux appareils.",
+    "approvalsEmptyStateStep1Title": "Aller aux Rôles",
+    "approvalsEmptyStateStep1Description": "Accédez aux paramètres de rôles de votre organisation pour configurer les autorisations de l'appareil.",
+    "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
+    "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
+    "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
+    "approvalsEmptyStateButtonText": "Gérer les rôles"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -18,6 +18,8 @@
    "componentsMember": "Sei un membro di {count, plural, =0 {nessuna organizzazione} one {un'organizzazione} other {# organizzazioni}}.",
    "componentsInvalidKey": "Rilevata chiave di licenza non valida o scaduta. Segui i termini di licenza per continuare a utilizzare tutte le funzionalità.",
    "dismiss": "Ignora",
+    "subscriptionViolationMessage": "Hai superato i tuoi limiti per il tuo piano attuale. Correggi il problema rimuovendo siti, utenti o altre risorse per rimanere all'interno del tuo piano.",
+    "subscriptionViolationViewBilling": "Visualizza fatturazione",
    "componentsLicenseViolation": "Violazione della licenza: Questo server sta usando i siti {usedSites} che superano il suo limite concesso in licenza per i siti {maxSites} . Segui i termini di licenza per continuare a usare tutte le funzionalità.",
    "componentsSupporterMessage": "Grazie per aver supportato Pangolin come {tier}!",
    "inviteErrorNotValid": "Siamo spiacenti, ma sembra che l'invito che stai cercando di accedere non sia stato accettato o non sia più valido.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Connetti Qualsiasi Rete",
    "sitesBannerDescription": "Un sito è una connessione a una rete remota che consente a Pangolin di fornire accesso alle risorse, pubbliche o private, agli utenti ovunque. Installa il connettore di rete del sito (Newt) ovunque tu possa eseguire un binario o un container per stabilire la connessione.",
    "sitesBannerButtonText": "Installa Sito",
+    "approvalsBannerTitle": "Approva o nega l'accesso al dispositivo",
+    "approvalsBannerDescription": "Controlla e approva o nega le richieste di accesso al dispositivo da parte degli utenti. Quando le approvazioni del dispositivo sono richieste, gli utenti devono ottenere l'approvazione dell'amministratore prima che i loro dispositivi possano connettersi alle risorse della vostra organizzazione.",
+    "approvalsBannerButtonText": "Scopri di più",
    "siteCreate": "Crea Sito",
    "siteCreateDescription2": "Segui i passaggi qui sotto per creare e collegare un nuovo sito",
    "siteCreateDescription": "Crea un nuovo sito per iniziare a connettere le risorse",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Ricerca ruoli...",
    "accessRolesAdd": "Aggiungi Ruolo",
    "accessRoleDelete": "Elimina Ruolo",
+    "accessApprovalsManage": "Gestisci Approvazioni",
+    "accessApprovalsDescription": "Visualizza e gestisci le approvazioni in attesa per accedere a questa organizzazione",
    "description": "Descrizione",
    "inviteTitle": "Inviti Aperti",
    "inviteDescription": "Gestisci gli inviti per gli altri utenti a unirsi all'organizzazione",
@@ -450,6 +457,18 @@
    "selectDuration": "Seleziona durata",
    "selectResource": "Seleziona Risorsa",
    "filterByResource": "Filtra Per Risorsa",
+    "selectApprovalState": "Seleziona Stato Di Approvazione",
+    "filterByApprovalState": "Filtra Per Stato Di Approvazione",
+    "approvalListEmpty": "Nessuna approvazione",
+    "approvalState": "Stato Di Approvazione",
+    "approve": "Approva",
+    "approved": "Approvato",
+    "denied": "Negato",
+    "deniedApproval": "Omologazione Negata",
+    "all": "Tutti",
+    "deny": "Nega",
+    "viewDetails": "Visualizza Dettagli",
+    "requestingNewDeviceApproval": "ha richiesto un nuovo dispositivo",
    "resetFilters": "Ripristina Filtri",
    "totalBlocked": "Richieste Bloccate Da Pangolino",
    "totalRequests": "Totale Richieste",
@@ -729,16 +748,28 @@
    "countries": "Paesi",
    "accessRoleCreate": "Crea Ruolo",
    "accessRoleCreateDescription": "Crea un nuovo ruolo per raggruppare gli utenti e gestire i loro permessi.",
+    "accessRoleEdit": "Modifica Ruolo",
+    "accessRoleEditDescription": "Modifica informazioni sul ruolo.",
    "accessRoleCreateSubmit": "Crea Ruolo",
    "accessRoleCreated": "Ruolo creato",
    "accessRoleCreatedDescription": "Il ruolo è stato creato con successo.",
    "accessRoleErrorCreate": "Impossibile creare il ruolo",
    "accessRoleErrorCreateDescription": "Si è verificato un errore durante la creazione del ruolo.",
+    "accessRoleUpdateSubmit": "Aggiorna Ruolo",
+    "accessRoleUpdated": "Ruolo aggiornato",
+    "accessRoleUpdatedDescription": "Il ruolo è stato aggiornato con successo.",
+    "accessApprovalUpdated": "Approvazione trattata",
+    "accessApprovalApprovedDescription": "Impostare la decisione di richiesta di approvazione da approvare.",
+    "accessApprovalDeniedDescription": "Imposta la decisione di richiesta di approvazione negata.",
+    "accessRoleErrorUpdate": "Impossibile aggiornare il ruolo",
+    "accessRoleErrorUpdateDescription": "Si è verificato un errore nell'aggiornamento del ruolo.",
+    "accessApprovalErrorUpdate": "Impossibile elaborare l'approvazione",
+    "accessApprovalErrorUpdateDescription": "Si è verificato un errore durante l'elaborazione dell'approvazione.",
    "accessRoleErrorNewRequired": "Nuovo ruolo richiesto",
    "accessRoleErrorRemove": "Impossibile rimuovere il ruolo",
    "accessRoleErrorRemoveDescription": "Si è verificato un errore durante la rimozione del ruolo.",
    "accessRoleName": "Nome Del Ruolo",
-    "accessRoleQuestionRemove": "Stai per eliminare il ruolo {name}. Non puoi annullare questa azione.",
+    "accessRoleQuestionRemove": "Stai per eliminare il ruolo `{name}`. Non puoi annullare questa azione.",
    "accessRoleRemove": "Rimuovi Ruolo",
    "accessRoleRemoveDescription": "Rimuovi un ruolo dall'organizzazione",
    "accessRoleRemoveSubmit": "Rimuovi Ruolo",
@@ -874,7 +905,7 @@
    "inviteAlready": "Sembra che sei stato invitato!",
    "inviteAlreadyDescription": "Per accettare l'invito, devi accedere o creare un account.",
    "signupQuestion": "Hai già un account?",
-    "login": "Accedi",
+    "login": "Log In",
    "resourceNotFound": "Risorsa Non Trovata",
    "resourceNotFoundDescription": "La risorsa che stai cercando di accedere non esiste.",
    "pincodeRequirementsLength": "Il PIN deve essere esattamente di 6 cifre",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Questa organizzazione richiede di cambiare la password ogni {maxDays} giorni.",
    "changePasswordNow": "Cambia Password Ora",
    "pincodeAuth": "Codice Autenticatore",
-    "pincodeSubmit2": "Invia Codice",
+    "pincodeSubmit2": "Invia codice",
    "passwordResetSubmit": "Richiedi Reset",
    "passwordResetAlreadyHaveCode": "Inserisci Codice",
    "passwordResetSmtpRequired": "Si prega di contattare l'amministratore",
    "passwordResetSmtpRequiredDescription": "Per reimpostare la password è necessario un codice di reimpostazione della password. Si prega di contattare l'amministratore per assistenza.",
    "passwordBack": "Torna alla Password",
-    "loginBack": "Torna al login",
+    "loginBack": "Torna alla pagina di accesso principale",
    "signup": "Registrati",
    "loginStart": "Accedi per iniziare",
    "idpOidcTokenValidating": "Convalida token OIDC",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Aggiorna Org IDP",
    "actionCreateClient": "Crea Client",
    "actionDeleteClient": "Elimina Client",
+    "actionArchiveClient": "Archivia Client",
+    "actionUnarchiveClient": "Annulla Archiviazione Client",
+    "actionBlockClient": "Blocca Client",
+    "actionUnblockClient": "Sblocca Client",
    "actionUpdateClient": "Aggiorna Client",
    "actionListClients": "Elenco Clienti",
    "actionGetClient": "Ottieni Client",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Ricerca...",
    "create": "Crea",
    "orgs": "Organizzazioni",
-    "loginError": "Si è verificato un errore durante l'accesso",
-    "loginRequiredForDevice": "È richiesto il login per autenticare il dispositivo.",
+    "loginError": "Si è verificato un errore imprevisto. Riprova.",
+    "loginRequiredForDevice": "Il login è richiesto per il tuo dispositivo.",
    "passwordForgot": "Password dimenticata?",
    "otpAuth": "Autenticazione a Due Fattori",
    "otpAuthDescription": "Inserisci il codice dalla tua app di autenticazione o uno dei tuoi codici di backup monouso.",
    "otpAuthSubmit": "Invia Codice",
    "idpContinue": "O continua con",
-    "otpAuthBack": "Torna al Login",
+    "otpAuthBack": "Torna alla Password",
    "navbar": "Menu di Navigazione",
    "navbarDescription": "Menu di navigazione principale dell'applicazione",
    "navbarDocsLink": "Documentazione",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Panoramica",
    "sidebarHome": "Home",
    "sidebarSites": "Siti",
+    "sidebarApprovals": "Richieste Di Approvazione",
    "sidebarResources": "Risorse",
    "sidebarProxyResources": "Pubblico",
    "sidebarClientResources": "Privato",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Fornitori Di Identità",
    "sidebarLicense": "Licenza",
    "sidebarClients": "Client",
-    "sidebarUserDevices": "Utenti",
+    "sidebarUserDevices": "Dispositivi Utente",
    "sidebarMachineClients": "Macchine",
    "sidebarDomains": "Domini",
    "sidebarGeneral": "Gestisci",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Si è verificato un errore durante la creazione dell'account amministratore del server.",
    "certificateStatus": "Stato del Certificato",
    "loading": "Caricamento",
+    "loadingAnalytics": "Caricamento Delle Analisi",
    "restart": "Riavvia",
    "domains": "Domini",
    "domainsDescription": "Creare e gestire i domini disponibili nell'organizzazione",
@@ -1304,6 +1341,7 @@
    "refreshError": "Impossibile aggiornare i dati",
    "verified": "Verificato",
    "pending": "In attesa",
+    "pendingApproval": "Approvazione In Attesa",
    "sidebarBilling": "Fatturazione",
    "billing": "Fatturazione",
    "orgBillingDescription": "Gestisci le informazioni di fatturazione e gli abbonamenti",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Panoramica dei Limiti di Utilizzo",
    "billingMonitorUsage": "Monitora il tuo utilizzo rispetto ai limiti configurati. Se hai bisogno di aumentare i limiti, contattaci all'indirizzo support@pangolin.net.",
    "billingDataUsage": "Utilizzo dei Dati",
-    "billingOnlineTime": "Tempo Online del Sito",
-    "billingUsers": "Utenti Attivi",
-    "billingDomains": "Domini Attivi",
-    "billingRemoteExitNodes": "Nodi Self-hosted Attivi",
+    "billingSites": "Siti",
+    "billingUsers": "Utenti",
+    "billingDomains": "Domini",
+    "billingRemoteExitNodes": "Nodi Remoti",
    "billingNoLimitConfigured": "Nessun limite configurato",
    "billingEstimatedPeriod": "Periodo di Fatturazione Stimato",
    "billingIncludedUsage": "Utilizzo Incluso",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Errore durante l'ottenimento dell'URL del portale",
    "billingPortalError": "Errore del Portale",
    "billingDataUsageInfo": "Hai addebitato tutti i dati trasferiti attraverso i tunnel sicuri quando sei connesso al cloud. Questo include sia il traffico in entrata e in uscita attraverso tutti i siti. Quando si raggiunge il limite, i siti si disconnetteranno fino a quando non si aggiorna il piano o si riduce l'utilizzo. I dati non vengono caricati quando si utilizzano nodi.",
-    "billingOnlineTimeInfo": "Ti viene addebitato in base al tempo in cui i tuoi siti rimangono connessi al cloud. Ad esempio, 44,640 minuti è uguale a un sito in esecuzione 24/7 per un mese intero. Quando raggiungi il tuo limite, i tuoi siti si disconnetteranno fino a quando non aggiorni il tuo piano o riduci l'utilizzo. Il tempo non viene caricato quando si usano i nodi.",
-    "billingUsersInfo": "Sei addebitato per ogni utente nell'organizzazione. La fatturazione viene calcolata quotidianamente in base al numero di account utente attivi nel tuo org.",
-    "billingDomainInfo": "Sei addebitato per ogni dominio nell'organizzazione. La fatturazione viene calcolata quotidianamente in base al numero di account di dominio attivi nel tuo org.",
-    "billingRemoteExitNodesInfo": "Sei addebitato per ogni nodo gestito nell'organizzazione. La fatturazione viene calcolata quotidianamente in base al numero di nodi gestiti attivi nel tuo org.",
+    "billingSInfo": "Quanti siti puoi usare",
+    "billingUsersInfo": "Quanti utenti puoi usare",
+    "billingDomainInfo": "Quanti domini puoi usare",
+    "billingRemoteExitNodesInfo": "Quanti nodi remoti puoi usare",
+    "billingLicenseKeys": "Chiavi di Licenza",
+    "billingLicenseKeysDescription": "Gestisci le sottoscrizioni alla chiave di licenza",
+    "billingLicenseSubscription": "Abbonamento Licenza",
+    "billingInactive": "Inattivo",
+    "billingLicenseItem": "Elemento Licenza",
+    "billingQuantity": "Quantità",
+    "billingTotal": "totale",
+    "billingModifyLicenses": "Modifica Abbonamento Licenza",
    "domainNotFound": "Domini Non Trovati",
    "domainNotFoundDescription": "Questa risorsa è disabilitata perché il dominio non esiste più nel nostro sistema. Si prega di impostare un nuovo dominio per questa risorsa.",
    "failed": "Fallito",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Chiave di sicurezza rimossa con successo",
    "securityKeyRemoveError": "Errore durante la rimozione della chiave di sicurezza",
    "securityKeyLoadError": "Errore durante il caricamento delle chiavi di sicurezza",
-    "securityKeyLogin": "Continua con la chiave di sicurezza",
+    "securityKeyLogin": "Usa Chiave Di Sicurezza",
    "securityKeyAuthError": "Errore durante l'autenticazione con chiave di sicurezza",
    "securityKeyRecommendation": "Considera di registrare un'altra chiave di sicurezza su un dispositivo diverso per assicurarti di non rimanere bloccato fuori dal tuo account.",
    "registering": "Registrazione in corso...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Numero di porta richiesto per risorse non-HTTP",
    "resourcePortNotAllowed": "Il numero di porta non deve essere impostato per risorse HTTP",
    "billingPricingCalculatorLink": "Calcolatore di Prezzi",
+    "billingYourPlan": "Il Tuo Piano",
+    "billingViewOrModifyPlan": "Visualizza o modifica il tuo piano corrente",
+    "billingViewPlanDetails": "Visualizza Dettagli Piano",
+    "billingUsageAndLimits": "Utilizzo e limiti",
+    "billingViewUsageAndLimits": "Visualizza i limiti del tuo piano e l'utilizzo corrente",
+    "billingCurrentUsage": "Utilizzo Corrente",
+    "billingMaximumLimits": "Limiti Massimi",
+    "billingRemoteNodes": "Nodi Remoti",
+    "billingUnlimited": "Illimitato",
+    "billingPaidLicenseKeys": "Chiavi Di Licenza Pagate",
+    "billingManageLicenseSubscription": "Gestisci il tuo abbonamento per le chiavi di licenza self-hosted a pagamento",
+    "billingCurrentKeys": "Tasti Attuali",
+    "billingModifyCurrentPlan": "Modifica Il Piano Corrente",
+    "billingConfirmUpgrade": "Conferma Aggiornamento",
+    "billingConfirmDowngrade": "Conferma Downgrade",
+    "billingConfirmUpgradeDescription": "Stai per aggiornare il tuo piano. Controlla i nuovi limiti e prezzi qui sotto.",
+    "billingConfirmDowngradeDescription": "Stai per effettuare il downgrade del tuo piano. Controlla i nuovi limiti e i prezzi qui sotto.",
+    "billingPlanIncludes": "Piano Include",
+    "billingProcessing": "Elaborazione...",
+    "billingConfirmUpgradeButton": "Conferma Aggiornamento",
+    "billingConfirmDowngradeButton": "Conferma Downgrade",
+    "billingLimitViolationWarning": "Utilizzo Supera I Nuovi Limiti Del Piano",
+    "billingLimitViolationDescription": "Il tuo utilizzo attuale supera i limiti di questo piano. Dopo il downgrading, tutte le azioni saranno disabilitate fino a ridurre l'utilizzo entro i nuovi limiti. Si prega di rivedere le caratteristiche qui sotto che sono attualmente oltre i limiti. Limiti di violazione:",
+    "billingFeatureLossWarning": "Avviso Di Disponibilità Caratteristica",
+    "billingFeatureLossDescription": "Con il downgrading, le funzioni non disponibili nel nuovo piano saranno disattivate automaticamente. Alcune impostazioni e configurazioni potrebbero andare perse. Controlla la matrice dei prezzi per capire quali funzioni non saranno più disponibili.",
+    "billingUsageExceedsLimit": "L'utilizzo corrente ({current}) supera il limite ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Accetto i",
        "termsOfService": "termini di servizio",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Intervallo Sano",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Il tempo è in secondi",
+    "requireDeviceApproval": "Richiede Approvazioni Dispositivo",
+    "requireDeviceApprovalDescription": "Gli utenti con questo ruolo hanno bisogno di nuovi dispositivi approvati da un amministratore prima di poter connettersi e accedere alle risorse.",
    "retryAttempts": "Tentativi di Riprova",
    "expectedResponseCodes": "Codici di Risposta Attesi",
    "expectedResponseCodesDescription": "Codice di stato HTTP che indica lo stato di salute. Se lasciato vuoto, considerato sano è compreso tra 200-300.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Nessuna risorsa interna trovata.",
    "resourcesTableDestination": "Destinazione",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Indirizzo Alias",
+    "resourcesTableAliasAddressInfo": "Questo indirizzo fa parte della subnet di utilità dell'organizzazione. È usato per risolvere i record alias usando la risoluzione DNS interna.",
    "resourcesTableClients": "Client",
    "resourcesTableAndOnlyAccessibleInternally": "e sono accessibili solo internamente quando connessi con un client.",
    "resourcesTableNoTargets": "Nessun obiettivo",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Torna alla modalità di accesso standard",
    "orgAuthNoAccount": "Non hai un account?",
    "subscriptionRequiredToUse": "Per utilizzare questa funzionalità è necessario un abbonamento.",
+    "mustUpgradeToUse": "Devi aggiornare il tuo abbonamento per utilizzare questa funzionalità.",
+    "subscriptionRequiredTierToUse": "Questa funzione richiede <tierLink>{tier}</tierLink> o superiore.",
+    "upgradeToTierToUse": "Aggiorna ad <tierLink>{tier}</tierLink> o superiore per utilizzare questa funzionalità.",
+    "subscriptionTierTier1": "Home",
+    "subscriptionTierTier2": "Squadra",
+    "subscriptionTierTier3": "Business",
+    "subscriptionTierEnterprise": "Impresa",
    "idpDisabled": "I provider di identità sono disabilitati.",
    "orgAuthPageDisabled": "La pagina di autenticazione dell'organizzazione è disabilitata.",
    "domainRestartedDescription": "Verifica del dominio riavviata con successo",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Ottieni una licenza",
+        "description": "Scegli un piano e ci dica come intendi usare Pangolin.",
+        "chooseTier": "Scegli il tuo piano",
+        "viewPricingLink": "Vedi prezzi, funzionalità e limiti",
+        "tiers": {
+            "starter": {
+                "title": "Avviatore",
+                "description": "Caratteristiche aziendali, 25 utenti, 25 siti e supporto alla comunità."
+            },
+            "scale": {
+                "title": "Scala",
+                "description": "Funzionalità aziendali, 50 utenti, 50 siti e supporto prioritario."
+            }
+        },
+        "personalUseOnly": "Solo uso personale (licenza gratuita — nessun checkout)",
+        "buttons": {
+            "continueToCheckout": "Continua al Checkout"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Errore di pagamento",
+                "description": "Impossibile avviare il checkout. Per favore riprova."
+            }
+        }
+    },
    "priority": "Priorità",
    "priorityDescription": "I percorsi prioritari più alti sono valutati prima. Priorità = 100 significa ordinamento automatico (decidi di sistema). Usa un altro numero per applicare la priorità manuale.",
    "instanceName": "Nome Istanza",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
    "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza Enterprise.",
+    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione.",
    "certResolver": "Risolutore Di Certificato",
    "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
    "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Il codice deve contenere 9 caratteri (es. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Codice non valido o scaduto",
    "deviceCodeVerifyFailed": "Impossibile verificare il codice del dispositivo",
+    "deviceCodeValidating": "Convalida codice dispositivo...",
+    "deviceCodeVerifying": "Verifica autorizzazione dispositivo...",
    "signedInAs": "Accesso come",
    "deviceCodeEnterPrompt": "Inserisci il codice visualizzato sul dispositivo",
    "continue": "Continua",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Accesso a tutte le organizzazioni a cui il tuo account ha accesso",
    "deviceAuthorize": "Autorizza {applicationName}",
    "deviceConnected": "Dispositivo Connesso!",
-    "deviceAuthorizedMessage": "Il dispositivo è autorizzato ad accedere al tuo account.",
+    "deviceAuthorizedMessage": "Il dispositivo è autorizzato ad accedere al tuo account. Ritorna all'applicazione client.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Visualizza Dispositivi",
    "viewDevicesDescription": "Gestisci i tuoi dispositivi connessi",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Non tu? Usa un account diverso.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo sta richiedendo l'accesso a questo account.",
+    "loginSelectAuthenticationMethod": "Selezionare un metodo di autenticazione per continuare.",
    "noData": "Nessun Dato",
    "machineClients": "Machine Clients",
    "install": "Installa",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Servizio Temporaneamente Non Disponibile",
    "maintenanceScreenMessage": "Stiamo attualmente riscontrando difficoltà tecniche. Si prega di ricontrollare a breve.",
    "maintenanceScreenEstimatedCompletion": "Completamento Stimato:",
-    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta"
+    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta",
+    "available": "Disponibile",
+    "archived": "Archiviato",
+    "noArchivedDevices": "Nessun dispositivo archiviato trovato",
+    "deviceArchived": "Dispositivo archiviato",
+    "deviceArchivedDescription": "Il dispositivo è stato archiviato con successo.",
+    "errorArchivingDevice": "Errore nell'archiviazione del dispositivo",
+    "failedToArchiveDevice": "Impossibile archiviare il dispositivo",
+    "deviceQuestionArchive": "È sicuro di voler archiviare questo dispositivo?",
+    "deviceMessageArchive": "Il dispositivo verrà archiviato e rimosso dalla lista dei dispositivi attivi.",
+    "deviceArchiveConfirm": "Archivia Dispositivo",
+    "archiveDevice": "Archivia Dispositivo",
+    "archive": "Archivio",
+    "deviceUnarchived": "Dispositivo non archiviato",
+    "deviceUnarchivedDescription": "Il dispositivo è stato disarchiviato con successo.",
+    "errorUnarchivingDevice": "Errore nel disarchiviare il dispositivo",
+    "failedToUnarchiveDevice": "Disarchiviazione del dispositivo non riuscita",
+    "unarchive": "Disarchivia",
+    "archiveClient": "Archivia Client",
+    "archiveClientQuestion": "È sicuro di voler archiviare questo client?",
+    "archiveClientMessage": "Il client verrà archiviato e rimosso dalla lista dei client attivi.",
+    "archiveClientConfirm": "Archivia Client",
+    "blockClient": "Blocca Client",
+    "blockClientQuestion": "Sei sicuro di voler bloccare questo client?",
+    "blockClientMessage": "Il dispositivo sarà forzato a disconnettersi se attualmente connesso. Puoi sbloccare il dispositivo più tardi.",
+    "blockClientConfirm": "Blocca Client",
+    "active": "Attivo",
+    "usernameOrEmail": "Nome utente o Email",
+    "selectYourOrganization": "Seleziona la tua organizzazione",
+    "signInTo": "Accedi a",
+    "signInWithPassword": "Continua con la password",
+    "noAuthMethodsAvailable": "Nessun metodo di autenticazione disponibile per questa organizzazione.",
+    "enterPassword": "Inserisci la tua password",
+    "enterMfaCode": "Inserisci il codice dalla tua app di autenticazione",
+    "securityKeyRequired": "Utilizza la tua chiave di sicurezza per accedere.",
+    "needToUseAnotherAccount": "Hai bisogno di utilizzare un account diverso?",
+    "loginLegalDisclaimer": "Facendo clic sui pulsanti qui sotto, si riconosce di aver letto, capire, e accettare i Termini di Servizio <termsOfService></termsOfService> e <privacyPolicy>Privacy Policy</privacyPolicy>.",
+    "termsOfService": "Termini di servizio",
+    "privacyPolicy": "Politica Sulla Privacy",
+    "userNotFoundWithUsername": "Nessun utente trovato con questo nome utente.",
+    "verify": "Verifica",
+    "signIn": "Accedi",
+    "forgotPassword": "Password dimenticata?",
+    "orgSignInTip": "Se hai effettuato l'accesso prima, puoi inserire il tuo nome utente o email qui sopra per autenticarti con il provider di identità della tua organizzazione. È più facile!",
+    "continueAnyway": "Continua comunque",
+    "dontShowAgain": "Non mostrare più",
+    "orgSignInNotice": "Lo sapevate?",
+    "signupOrgNotice": "Cercando di accedere?",
+    "signupOrgTip": "Stai cercando di accedere tramite il provider di identità della tua organizzazione?",
+    "signupOrgLink": "Accedi o registrati con la tua organizzazione",
+    "verifyEmailLogInWithDifferentAccount": "Usa un account diverso",
+    "logIn": "Log In",
+    "deviceInformation": "Informazioni Sul Dispositivo",
+    "deviceInformationDescription": "Informazioni sul dispositivo e sull'agente",
+    "deviceSecurity": "Sicurezza Del Dispositivo",
+    "deviceSecurityDescription": "Informazioni postura sicurezza dispositivo",
+    "platform": "Piattaforma",
+    "macosVersion": "versione macOS",
+    "windowsVersion": "Versione Windows",
+    "iosVersion": "Versione iOS",
+    "androidVersion": "Versione Android",
+    "osVersion": "Versione OS",
+    "kernelVersion": "Versione Del Kernel",
+    "deviceModel": "Modello Di Dispositivo",
+    "serialNumber": "Numero D'Ordine",
+    "hostname": "Hostname",
+    "firstSeen": "Prima Visto",
+    "lastSeen": "Visto L'Ultima",
+    "biometricsEnabled": "Biometria Abilitata",
+    "diskEncrypted": "Cifratura Del Disco",
+    "firewallEnabled": "Firewall Abilitato",
+    "autoUpdatesEnabled": "Aggiornamenti Automatici Abilitati",
+    "tpmAvailable": "TPM Disponibile",
+    "windowsAntivirusEnabled": "Antivirus Abilitato",
+    "macosSipEnabled": "Protezione Dell'Integrità Del Sistema (Sip)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Furtivo Del Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Visualizza informazioni e impostazioni del dispositivo",
+    "devicePendingApprovalDescription": "Questo dispositivo è in attesa di approvazione",
+    "deviceBlockedDescription": "Questo dispositivo è attualmente bloccato. Non sarà in grado di connettersi a nessuna risorsa a meno che non sia sbloccato.",
+    "unblockClient": "Sblocca Client",
+    "unblockClientDescription": "Il dispositivo è stato sbloccato",
+    "unarchiveClient": "Annulla Archiviazione Client",
+    "unarchiveClientDescription": "Il dispositivo è stato disarchiviato",
+    "block": "Blocca",
+    "unblock": "Sblocca",
+    "deviceActions": "Azioni Dispositivo",
+    "deviceActionsDescription": "Gestisci lo stato del dispositivo e l'accesso",
+    "devicePendingApprovalBannerDescription": "Questo dispositivo è in attesa di approvazione. Non sarà in grado di connettersi alle risorse fino all'approvazione.",
+    "connected": "Connesso",
+    "disconnected": "Disconnesso",
+    "approvalsEmptyStateTitle": "Approvazioni Dispositivo Non Abilitato",
+    "approvalsEmptyStateDescription": "Abilita le approvazioni del dispositivo per i ruoli per richiedere l'approvazione dell'amministratore prima che gli utenti possano collegare nuovi dispositivi.",
+    "approvalsEmptyStateStep1Title": "Vai ai ruoli",
+    "approvalsEmptyStateStep1Description": "Vai alle impostazioni dei ruoli della tua organizzazione per configurare le approvazioni del dispositivo.",
+    "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
+    "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
+    "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -18,6 +18,8 @@
    "componentsMember": "당신은 {count, plural, =0 {조직이 없습니다} one {하나의 조직} other {# 개의 조직}}의 구성원입니다.",
    "componentsInvalidKey": "유효하지 않거나 만료된 라이센스 키가 감지되었습니다. 모든 기능을 계속 사용하려면 라이센스 조건을 따르십시오.",
    "dismiss": "해제",
+    "subscriptionViolationMessage": "현재 계획의 한계를 초과했습니다. 사이트, 사용자 또는 기타 리소스를 제거하여 계획 내에 머물도록 해결하세요.",
+    "subscriptionViolationViewBilling": "청구 보기",
    "componentsLicenseViolation": "라이센스 위반: 이 서버는 {usedSites} 사이트를 사용하고 있으며, 이는 {maxSites} 사이트의 라이센스 한도를 초과합니다. 모든 기능을 계속 사용하려면 라이센스 조건을 따르십시오.",
    "componentsSupporterMessage": "{tier}로 판골린을 지원해 주셔서 감사합니다!",
    "inviteErrorNotValid": "죄송하지만, 접근하려는 초대가 수락되지 않았거나 더 이상 유효하지 않은 것 같습니다.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "모든 네트워크 연결",
    "sitesBannerDescription": "사이트는 원격 네트워크와의 연결로 Pangolin이 어디서나 사용자에게 공공 및 개인 리소스에 대한 접근을 제공할 수 있게 해 줍니다. 연결을 설정하려면 바이너리 또는 컨테이너로 실행할 수 있는 어디서든 사이트 네트워크 커넥터(Newt)를 설치하세요.",
    "sitesBannerButtonText": "사이트 설치",
+    "approvalsBannerTitle": "장치 접근 승인 또는 거부",
+    "approvalsBannerDescription": "사용자의 장치 접근 요청을 검토하고 승인하거나 거부하세요. 장치 승인 요구 시, 관리자의 승인이 필요합니다.",
+    "approvalsBannerButtonText": "자세히 알아보기",
    "siteCreate": "사이트 생성",
    "siteCreateDescription2": "아래 단계를 따라 새 사이트를 생성하고 연결하십시오",
    "siteCreateDescription": "리소스를 연결하기 위해 새 사이트를 생성하세요.",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "역할 검색...",
    "accessRolesAdd": "역할 추가",
    "accessRoleDelete": "역할 삭제",
+    "accessApprovalsManage": "승인 관리",
+    "accessApprovalsDescription": "이 조직의 접근 승인 대기를 보고 관리하세요.",
    "description": "설명",
    "inviteTitle": "열린 초대",
    "inviteDescription": "다른 사용자가 조직에 참여하도록 초대장을 관리합니다.",
@@ -450,6 +457,18 @@
    "selectDuration": "지속 시간 선택",
    "selectResource": "리소스 선택",
    "filterByResource": "리소스별 필터",
+    "selectApprovalState": "승인 상태 선택",
+    "filterByApprovalState": "승인 상태로 필터링",
+    "approvalListEmpty": "승인이 없습니다.",
+    "approvalState": "승인 상태",
+    "approve": "승인",
+    "approved": "승인됨",
+    "denied": "거부됨",
+    "deniedApproval": "승인 거부됨",
+    "all": "모두",
+    "deny": "거부",
+    "viewDetails": "세부 정보 보기",
+    "requestingNewDeviceApproval": "새 장치를 요청함",
    "resetFilters": "필터 재설정",
    "totalBlocked": "Pangolin으로 차단된 요청",
    "totalRequests": "총 요청 수",
@@ -729,16 +748,28 @@
    "countries": "국가",
    "accessRoleCreate": "역할 생성",
    "accessRoleCreateDescription": "사용자를 그룹화하고 권한을 관리하기 위해 새 역할을 생성하세요.",
+    "accessRoleEdit": "역할 편집",
+    "accessRoleEditDescription": "역할 정보 편집.",
    "accessRoleCreateSubmit": "역할 생성",
    "accessRoleCreated": "역할이 생성되었습니다.",
    "accessRoleCreatedDescription": "역할이 성공적으로 생성되었습니다.",
    "accessRoleErrorCreate": "역할 생성 실패",
    "accessRoleErrorCreateDescription": "역할 생성 중 오류가 발생했습니다.",
+    "accessRoleUpdateSubmit": "역할 업데이트",
+    "accessRoleUpdated": "역할 업데이트됨",
+    "accessRoleUpdatedDescription": "역할이 성공적으로 업데이트되었습니다.",
+    "accessApprovalUpdated": "승인 처리됨",
+    "accessApprovalApprovedDescription": "승인 요청을 승인으로 설정.",
+    "accessApprovalDeniedDescription": "승인 요청을 거부로 설정.",
+    "accessRoleErrorUpdate": "역할 업데이트 실패",
+    "accessRoleErrorUpdateDescription": "역할 업데이트 중 오류 발생.",
+    "accessApprovalErrorUpdate": "승인 처리 실패",
+    "accessApprovalErrorUpdateDescription": "승인 처리 중 오류가 발생했습니다.",
    "accessRoleErrorNewRequired": "새 역할이 필요합니다.",
    "accessRoleErrorRemove": "역할 제거에 실패했습니다.",
    "accessRoleErrorRemoveDescription": "역할을 제거하는 동안 오류가 발생했습니다.",
    "accessRoleName": "역할 이름",
-    "accessRoleQuestionRemove": "{name} 역할을 삭제하려고 합니다. 이 작업은 취소할 수 없습니다.",
+    "accessRoleQuestionRemove": "`{name}` 역할을 삭제하려고 합니다. 이 작업은 되돌릴 수 없습니다.",
    "accessRoleRemove": "역할 제거",
    "accessRoleRemoveDescription": "조직에서 역할 제거",
    "accessRoleRemoveSubmit": "역할 제거",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "관리자에게 문의하십시오",
    "passwordResetSmtpRequiredDescription": "비밀번호를 재설정하려면 비밀번호 초기화 코드가 필요합니다. 지원을 받으려면 관리자에게 문의하십시오.",
    "passwordBack": "비밀번호로 돌아가기",
-    "loginBack": "로그인으로 돌아가기",
+    "loginBack": "메인 로그인 페이지로 돌아갑니다.",
    "signup": "가입하기",
    "loginStart": "시작하려면 로그인하세요.",
    "idpOidcTokenValidating": "OIDC 토큰 검증 중",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "IDP 조직 업데이트",
    "actionCreateClient": "클라이언트 생성",
    "actionDeleteClient": "클라이언트 삭제",
+    "actionArchiveClient": "클라이언트 보관",
+    "actionUnarchiveClient": "클라이언트 보관 취소",
+    "actionBlockClient": "클라이언트 차단",
+    "actionUnblockClient": "클라이언트 차단 해제",
    "actionUpdateClient": "클라이언트 업데이트",
    "actionListClients": "클라이언트 목록",
    "actionGetClient": "클라이언트 가져오기",
@@ -1134,14 +1169,14 @@
    "searchProgress": "검색...",
    "create": "생성",
    "orgs": "조직",
-    "loginError": "로그인 중 오류가 발생했습니다",
-    "loginRequiredForDevice": "장치를 인증하려면 로그인이 필요합니다.",
+    "loginError": "예기치 않은 오류가 발생했습니다. 다시 시도해주세요.",
+    "loginRequiredForDevice": "로그인이 필요합니다.",
    "passwordForgot": "비밀번호를 잊으셨나요?",
    "otpAuth": "이중 인증",
    "otpAuthDescription": "인증 앱에서 코드를 입력하거나 단일 사용 백업 코드 중 하나를 입력하세요.",
    "otpAuthSubmit": "코드 제출",
    "idpContinue": "또는 계속 진행하십시오.",
-    "otpAuthBack": "로그인으로 돌아가기",
+    "otpAuthBack": "비밀번호로 돌아가기",
    "navbar": "탐색 메뉴",
    "navbarDescription": "애플리케이션의 주요 탐색 메뉴",
    "navbarDocsLink": "문서",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "개요",
    "sidebarHome": "홈",
    "sidebarSites": "사이트",
+    "sidebarApprovals": "승인 요청",
    "sidebarResources": "리소스",
    "sidebarProxyResources": "공유",
    "sidebarClientResources": "비공개",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "신원 공급자",
    "sidebarLicense": "라이선스",
    "sidebarClients": "클라이언트",
-    "sidebarUserDevices": "사용자",
+    "sidebarUserDevices": "사용자 장치",
    "sidebarMachineClients": "기계",
    "sidebarDomains": "도메인",
    "sidebarGeneral": "관리",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "서버 관리자 계정을 생성하는 동안 오류가 발생했습니다.",
    "certificateStatus": "인증서 상태",
    "loading": "로딩 중",
+    "loadingAnalytics": "분석 로딩 중",
    "restart": "재시작",
    "domains": "도메인",
    "domainsDescription": "조직에서 사용 가능한 도메인 생성 및 관리",
@@ -1304,6 +1341,7 @@
    "refreshError": "데이터 새로고침 실패",
    "verified": "검증됨",
    "pending": "대기 중",
+    "pendingApproval": "승인 대기 중",
    "sidebarBilling": "청구",
    "billing": "청구",
    "orgBillingDescription": "청구 정보 및 구독을 관리하세요",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "사용 한도 개요",
    "billingMonitorUsage": "설정된 한도에 대한 사용량을 모니터링합니다. 한도를 늘려야 하는 경우 support@pangolin.net로 연락하십시오.",
    "billingDataUsage": "데이터 사용량",
-    "billingOnlineTime": "사이트 온라인 시간",
-    "billingUsers": "활성 사용자",
-    "billingDomains": "활성 도메인",
-    "billingRemoteExitNodes": "활성 자체 호스팅 노드",
+    "billingSites": "사이트",
+    "billingUsers": "사용자",
+    "billingDomains": "도메인",
+    "billingRemoteExitNodes": "원격 노드",
    "billingNoLimitConfigured": "구성된 한도가 없습니다.",
    "billingEstimatedPeriod": "예상 청구 기간",
    "billingIncludedUsage": "포함 사용량",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "포털 URL을 가져오는 데 실패했습니다.",
    "billingPortalError": "포털 오류",
    "billingDataUsageInfo": "클라우드에 연결할 때 보안 터널을 통해 전송된 모든 데이터에 대해 비용이 청구됩니다. 여기에는 모든 사이트의 들어오고 나가는 트래픽이 포함됩니다. 사용량 한도에 도달하면 플랜을 업그레이드하거나 사용량을 줄일 때까지 사이트가 연결 해제됩니다. 노드를 사용하는 경우 데이터는 요금이 청구되지 않습니다.",
-    "billingOnlineTimeInfo": "사이트가 클라우드에 연결된 시간에 따라 요금이 청구됩니다. 예를 들어, 44,640분은 사이트가 한 달 내내 24시간 작동하는 것과 같습니다. 사용량 한도에 도달하면 플랜을 업그레이드하거나 사용량을 줄일 때까지 사이트가 연결 해제됩니다. 노드를 사용할 때 시간은 요금이 청구되지 않습니다.",
-    "billingUsersInfo": "조직의 사용자마다 요금이 청구됩니다. 청구는 조직의 활성 사용자 계정 수에 따라 매일 계산됩니다.",
-    "billingDomainInfo": "조직의 도메인마다 요금이 청구됩니다. 청구는 조직의 활성 도메인 계정 수에 따라 매일 계산됩니다.",
-    "billingRemoteExitNodesInfo": "조직의 관리 노드마다 요금이 청구됩니다. 청구는 조직의 활성 관리 노드 수에 따라 매일 계산됩니다.",
+    "billingSInfo": "사용할 수 있는 사이트 수",
+    "billingUsersInfo": "사용할 수 있는 사용자 수",
+    "billingDomainInfo": "사용할 수 있는 도메인 수",
+    "billingRemoteExitNodesInfo": "사용할 수 있는 원격 노드 수",
+    "billingLicenseKeys": "라이센스 키",
+    "billingLicenseKeysDescription": "라이센스 키 구독을 관리하세요",
+    "billingLicenseSubscription": "라이센스 구독",
+    "billingInactive": "비활성화됨",
+    "billingLicenseItem": "라이센스 항목",
+    "billingQuantity": "수량",
+    "billingTotal": "총계",
+    "billingModifyLicenses": "라이센스 구독 수정",
    "domainNotFound": "도메인을 찾을 수 없습니다",
    "domainNotFoundDescription": "이 리소스는 도메인이 더 이상 시스템에 존재하지 않아 비활성화되었습니다. 이 리소스에 대한 새 도메인을 설정하세요.",
    "failed": "실패",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "보안 키가 성공적으로 제거되었습니다",
    "securityKeyRemoveError": "보안 키 제거 실패",
    "securityKeyLoadError": "보안 키를 불러오는 데 실패했습니다",
-    "securityKeyLogin": "보안 키로 계속하기",
+    "securityKeyLogin": "보안 키 사용",
    "securityKeyAuthError": "보안 키를 사용한 인증 실패",
    "securityKeyRecommendation": "항상 계정에 액세스할 수 있도록 다른 장치에 백업 보안 키를 등록하세요.",
    "registering": "등록 중...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "HTTP 리소스가 아닌 경우 포트 번호가 필요합니다",
    "resourcePortNotAllowed": "HTTP 리소스에 대해 포트 번호를 설정하지 마세요",
    "billingPricingCalculatorLink": "가격 계산기",
+    "billingYourPlan": "귀하의 계획",
+    "billingViewOrModifyPlan": "현재 계획 보기 또는 수정",
+    "billingViewPlanDetails": "계획 세부정보 보기",
+    "billingUsageAndLimits": "사용량 및 제한",
+    "billingViewUsageAndLimits": "계획의 제한 및 현재 사용량 보기",
+    "billingCurrentUsage": "현재 사용량",
+    "billingMaximumLimits": "최대 제한",
+    "billingRemoteNodes": "원격 노드",
+    "billingUnlimited": "무제한",
+    "billingPaidLicenseKeys": "유료 라이센스 키",
+    "billingManageLicenseSubscription": "유료 독립 호스트 라이센스 키를 위한 구독 관리",
+    "billingCurrentKeys": "현재 키",
+    "billingModifyCurrentPlan": "현재 계획 수정",
+    "billingConfirmUpgrade": "업그레이드 확인",
+    "billingConfirmDowngrade": "다운그레이드 확인",
+    "billingConfirmUpgradeDescription": "계획을 업그레이드하려고 합니다. 아래의 새로운 제한 및 가격을 검토하세요.",
+    "billingConfirmDowngradeDescription": "계획을 다운그레이드하려고 합니다. 아래의 새로운 제한 및 가격을 검토하세요.",
+    "billingPlanIncludes": "계획 포함",
+    "billingProcessing": "처리 중...",
+    "billingConfirmUpgradeButton": "업그레이드 확인",
+    "billingConfirmDowngradeButton": "다운그레이드 확인",
+    "billingLimitViolationWarning": "사용량이 새 계획의 제한을 초과합니다.",
+    "billingLimitViolationDescription": "현재 사용량이 이 계획의 제한을 초과합니다. 다운그레이드 후 모든 작업은 새로운 제한 내로 사용량을 줄일 때까지 비활성화됩니다. 현재 초과된 제한 특징들을 검토하세요. 위반된 제한:",
+    "billingFeatureLossWarning": "기능 가용성 알림",
+    "billingFeatureLossDescription": "다운그레이드함으로써 새 계획에서 사용할 수 없는 기능은 자동으로 비활성화됩니다. 일부 설정 및 구성은 손실될 수 있습니다. 어떤 기능들이 더 이상 사용 불가능한지 이해하기 위해 가격표를 검토하세요.",
+    "billingUsageExceedsLimit": "현재 사용량 ({current})이 제한 ({limit})을 초과합니다",
    "signUpTerms": {
        "IAgreeToThe": "동의합니다",
        "termsOfService": "서비스 약관",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "정상 간격",
    "timeoutSeconds": "타임아웃(초)",
    "timeIsInSeconds": "시간은 초 단위입니다",
+    "requireDeviceApproval": "장치 승인 요구",
+    "requireDeviceApprovalDescription": "이 역할을 가진 사용자는 장치가 연결되기 전에 관리자의 승인이 필요합니다.",
    "retryAttempts": "재시도 횟수",
    "expectedResponseCodes": "예상 응답 코드",
    "expectedResponseCodesDescription": "정상 상태를 나타내는 HTTP 상태 코드입니다. 비워 두면 200-300이 정상으로 간주됩니다.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "내부 리소스를 찾을 수 없습니다.",
    "resourcesTableDestination": "대상지",
    "resourcesTableAlias": "별칭",
+    "resourcesTableAliasAddress": "별칭 주소",
+    "resourcesTableAliasAddressInfo": "이 주소는 조직의 유틸리티 서브넷의 일부로, 내부 DNS 해석을 사용하여 별칭 레코드를 해석하는 데 사용됩니다.",
    "resourcesTableClients": "클라이언트",
    "resourcesTableAndOnlyAccessibleInternally": "클라이언트와 연결되었을 때만 내부적으로 접근 가능합니다.",
    "resourcesTableNoTargets": "대상 없음",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
    "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
    "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
-    "orgAuthSignInToOrg": "조직에 로그인합니다.",
+    "orgAuthSignInToOrg": "조직에 로그인",
    "orgAuthSelectOrgTitle": "조직 로그인",
    "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "표준 로그인을 통해 돌아가기",
    "orgAuthNoAccount": "계정이 없으신가요?",
    "subscriptionRequiredToUse": "이 기능을 사용하려면 구독이 필요합니다.",
+    "mustUpgradeToUse": "이 기능을 사용하려면 구독을 업그레이드해야 합니다.",
+    "subscriptionRequiredTierToUse": "이 기능을 사용하려면 <tierLink>{tier}</tierLink> 이상의 등급이 필요합니다.",
+    "upgradeToTierToUse": "이 기능을 사용하려면 <tierLink>{tier}</tierLink> 이상으로 업그레이드하세요.",
+    "subscriptionTierTier1": "홈",
+    "subscriptionTierTier2": "팀",
+    "subscriptionTierTier3": "비즈니스",
+    "subscriptionTierEnterprise": "기업",
    "idpDisabled": "신원 공급자가 비활성화되었습니다.",
    "orgAuthPageDisabled": "조직 인증 페이지가 비활성화되었습니다.",
    "domainRestartedDescription": "도메인 인증이 성공적으로 재시작되었습니다.",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "라이센스 가져오기",
+        "description": "계획을 선택하고 Pangolin을 어떻게 사용할지 알려주세요.",
+        "chooseTier": "계획 선택",
+        "viewPricingLink": "가격, 기능 및 제한 보기",
+        "tiers": {
+            "starter": {
+                "title": "스타터",
+                "description": "기업 기능, 25명의 사용자, 25개의 사이트, 커뮤니티 지원."
+            },
+            "scale": {
+                "title": "스케일",
+                "description": "기업 기능, 50명의 사용자, 50개의 사이트, 우선 지원."
+            }
+        },
+        "personalUseOnly": "개인 사용 전용 (무료 라이센스 — 체크아웃 없음)",
+        "buttons": {
+            "continueToCheckout": "결제로 진행"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "체크아웃 오류",
+                "description": "체크아웃을 시작할 수 없습니다. 다시 시도하세요."
+            }
+        }
+    },
    "priority": "우선순위",
    "priorityDescription": "우선 순위가 높은 경로가 먼저 평가됩니다. 우선 순위 = 100은 자동 정렬(시스템 결정)이 의미합니다. 수동 우선 순위를 적용하려면 다른 숫자를 사용하세요.",
    "instanceName": "인스턴스 이름",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
    "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
    "licenseRequiredToUse": "이 기능을 사용하려면 Enterprise 라이선스가 필요합니다.",
+    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink>이 필요합니다.",
    "certResolver": "인증서 해결사",
    "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
    "selectCertResolver": "인증서 해결사 선택",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "코드는 9자리여야 합니다 (예: A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "무효하거나 만료된 코드",
    "deviceCodeVerifyFailed": "이메일 확인에 실패했습니다:",
+    "deviceCodeValidating": "장치 코드 검증 중...",
+    "deviceCodeVerifying": "장치 권한 검증 중...",
    "signedInAs": "로그인한 사용자",
    "deviceCodeEnterPrompt": "기기에 표시된 코드를 입력하세요",
    "continue": "계속 진행하기",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "계정이 접근할 수 있는 모든 조직에 대한 접근",
    "deviceAuthorize": "{applicationName} 권한 부여",
    "deviceConnected": "장치가 연결되었습니다!",
-    "deviceAuthorizedMessage": "장치가 계정에 액세스할 수 있도록 승인되었습니다.",
+    "deviceAuthorizedMessage": "장치가 계정 접속을 승인받았습니다. 클라이언트 응용프로그램으로 돌아가세요.",
    "pangolinCloud": "판골린 클라우드",
    "viewDevices": "장치 보기",
    "viewDevicesDescription": "연결된 장치를 관리하십시오",
@@ -2306,6 +2418,7 @@
    "identifier": "식별자",
    "deviceLoginUseDifferentAccount": "본인이 아닙니까? 다른 계정을 사용하세요.",
    "deviceLoginDeviceRequestingAccessToAccount": "장치가 이 계정에 접근하려고 합니다.",
+    "loginSelectAuthenticationMethod": "계속하려면 인증 방법을 선택하세요.",
    "noData": "데이터 없음",
    "machineClients": "기계 클라이언트",
    "install": "설치",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "서비스 일시 중단",
    "maintenanceScreenMessage": "현재 기술적 문제를 겪고 있습니다. 곧 다시 확인하십시오.",
    "maintenanceScreenEstimatedCompletion": "예상 완료:",
-    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다."
+    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다.",
+    "available": "사용 가능",
+    "archived": "보관된",
+    "noArchivedDevices": "보관된 장치가 없습니다.",
+    "deviceArchived": "장치가 보관되었습니다.",
+    "deviceArchivedDescription": "장치가 성공적으로 보관되었습니다.",
+    "errorArchivingDevice": "장치를 보관하는 동안 오류가 발생했습니다.",
+    "failedToArchiveDevice": "장치를 보관하는 데 실패했습니다.",
+    "deviceQuestionArchive": "이 장치를 보관하시겠습니까?",
+    "deviceMessageArchive": "장치가 보관되며 당신의 활성 장치 목록에서 제거됩니다.",
+    "deviceArchiveConfirm": "장치 보관",
+    "archiveDevice": "장치 보관",
+    "archive": "보관",
+    "deviceUnarchived": "장치의 보관이 취소되었습니다.",
+    "deviceUnarchivedDescription": "장치의 보관이 성공적으로 취소되었습니다.",
+    "errorUnarchivingDevice": "장치 보관 해제 중 오류가 발생했습니다.",
+    "failedToUnarchiveDevice": "장치 보관 해제 실패",
+    "unarchive": "보관 해제",
+    "archiveClient": "클라이언트 보관",
+    "archiveClientQuestion": "이 클라이언트를 보관하시겠습니까?",
+    "archiveClientMessage": "클라이언트가 보관되며 당신의 활성 클라이언트 목록에서 제거됩니다.",
+    "archiveClientConfirm": "클라이언트 보관 확인",
+    "blockClient": "클라이언트 차단",
+    "blockClientQuestion": "이 클라이언트를 차단하시겠습니까?",
+    "blockClientMessage": "장치가 현재 연결되어 있는 경우 강제로 연결이 해제됩니다. 이후에도 차단 해제가 가능합니다.",
+    "blockClientConfirm": "클라이언트 차단 확인",
+    "active": "활성",
+    "usernameOrEmail": "사용자 이름 또는 이메일",
+    "selectYourOrganization": "조직 선택",
+    "signInTo": "로그인 중",
+    "signInWithPassword": "비밀번호로 계속",
+    "noAuthMethodsAvailable": "이 조직에는 사용할 수 있는 인증 방법이 없습니다.",
+    "enterPassword": "비밀번호를 입력하세요.",
+    "enterMfaCode": "인증 앱에서 제공한 코드를 입력하세요.",
+    "securityKeyRequired": "보안 키를 사용해 로그인하세요.",
+    "needToUseAnotherAccount": "다른 계정을 사용해야 합니까?",
+    "loginLegalDisclaimer": "아래 버튼을 클릭하여 <termsOfService>서비스 약관</termsOfService>과 <privacyPolicy>개인 정보 보호 정책</privacyPolicy>을 읽고 이해했으며 동의함을 인정합니다.",
+    "termsOfService": "서비스 약관",
+    "privacyPolicy": "개인 정보 보호 정책",
+    "userNotFoundWithUsername": "해당 사용자 이름으로 사용자를 찾지 못했습니다.",
+    "verify": "확인",
+    "signIn": "로그인",
+    "forgotPassword": "비밀번호를 잊으셨나요?",
+    "orgSignInTip": "이전에 로그인한 적이 있다면, 위의 사용자 이름 또는 이메일을 입력하여 조직의 ID 공급자로 인증할 수 있습니다. 더 쉬워요!",
+    "continueAnyway": "계속하기",
+    "dontShowAgain": "다시 보기 않습니다.",
+    "orgSignInNotice": "아셨나요?",
+    "signupOrgNotice": "로그인 중이신가요?",
+    "signupOrgTip": "조직의 ID 공급자를 통해 로그인하려고 하십니까?",
+    "signupOrgLink": "대신 조직을 사용하여 로그인 또는 가입",
+    "verifyEmailLogInWithDifferentAccount": "다른 계정 사용",
+    "logIn": "로그인",
+    "deviceInformation": "장치 정보",
+    "deviceInformationDescription": "장치와 에이전트 정보",
+    "deviceSecurity": "디바이스 보안",
+    "deviceSecurityDescription": "디바이스 보안 상태 정보",
+    "platform": "플랫폼",
+    "macosVersion": "macOS 버전",
+    "windowsVersion": "Windows 버전",
+    "iosVersion": "iOS 버전",
+    "androidVersion": "Android 버전",
+    "osVersion": "OS 버전",
+    "kernelVersion": "커널 버전",
+    "deviceModel": "장치 모델",
+    "serialNumber": "일련 번호",
+    "hostname": "호스트 이름",
+    "firstSeen": "처음 발견됨",
+    "lastSeen": "마지막으로 발견됨",
+    "biometricsEnabled": "생체 인식 활성화",
+    "diskEncrypted": "디스크 암호화됨",
+    "firewallEnabled": "방화벽 활성화",
+    "autoUpdatesEnabled": "자동 업데이트 활성화",
+    "tpmAvailable": "TPM 사용 가능",
+    "windowsAntivirusEnabled": "안티바이러스 활성화됨",
+    "macosSipEnabled": "시스템 무결성 보호 (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "방화벽 스텔스 모드",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "장치 정보 및 설정 보기",
+    "devicePendingApprovalDescription": "이 장치는 승인을 기다리고 있습니다.",
+    "deviceBlockedDescription": "이 장치는 현재 차단되었습니다. 차단이 해제되지 않으면 리소스에 연결할 수 없습니다.",
+    "unblockClient": "클라이언트 차단 해제",
+    "unblockClientDescription": "장치가 차단 해제되었습니다.",
+    "unarchiveClient": "클라이언트 보관 취소",
+    "unarchiveClientDescription": "장치가 보관 해제되었습니다.",
+    "block": "차단",
+    "unblock": "차단 해제",
+    "deviceActions": "장치 작업",
+    "deviceActionsDescription": "장치 상태 및 접근 관리",
+    "devicePendingApprovalBannerDescription": "이 장치는 승인 대기 중입니다. 승인될 때까지 리소스에 연결할 수 없습니다.",
+    "connected": "연결됨",
+    "disconnected": "연결 해제됨",
+    "approvalsEmptyStateTitle": "장치 승인 비활성화됨",
+    "approvalsEmptyStateDescription": "사용자가 새 장치를 연결하기 전에 관리자의 승인을 필요로 하도록 역할에 대해 장치 승인을 활성화하세요.",
+    "approvalsEmptyStateStep1Title": "역할로 이동",
+    "approvalsEmptyStateStep1Description": "조직의 역할 설정으로 이동하여 장치 승인을 구성하십시오.",
+    "approvalsEmptyStateStep2Title": "장치 승인 활성화",
+    "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
+    "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
+    "approvalsEmptyStateButtonText": "역할 관리"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -18,6 +18,8 @@
    "componentsMember": "Du er {count, plural, =0 {ikke medlem av noen organisasjoner} one {medlem av en organisasjon} other {medlem av # organisasjoner}}.",
    "componentsInvalidKey": "Ugyldig eller utgått lisensnøkkel oppdaget. Følg lisensvilkårene for å fortsette å kunne bruke alle funksjonene.",
    "dismiss": "Avvis",
+    "subscriptionViolationMessage": "Du er utenfor grensen for gjeldende plan. Rett problemet ved å fjerne nettsteder, brukere eller andre ressurser for å bli innenfor planen din.",
+    "subscriptionViolationViewBilling": "Vis fakturering",
    "componentsLicenseViolation": "Lisens Brudd: Denne serveren bruker {usedSites} områder som overskrider den lisensierte grenser av {maxSites} områder. Følg lisensvilkårene for å fortsette å kunne bruke alle funksjonene.",
    "componentsSupporterMessage": "Takk for at du støtter Pangolin som en {tier}!",
    "inviteErrorNotValid": "Beklager, men det ser ut som invitasjonen du prøver å bruke ikke har blitt akseptert eller ikke er gyldig lenger.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Koble til alle nettverk",
    "sitesBannerDescription": "Et nettverk er en tilkobling til et eksternt nettverk som tillater Pangolin å gi tilgang til ressurser, enten offentlige eller private, til brukere hvor som helst. Installer nettverkskontaktet (Newt) hvor som helst du kan kjøre en binærfil eller container for å opprette forbindelsen.",
    "sitesBannerButtonText": "Installer nettsted",
+    "approvalsBannerTitle": "Godkjenn eller avslå tilgang til enhet",
+    "approvalsBannerDescription": "Gjennomgå og godkjenne eller avslå forespørsler om tilgang fra brukere. Når enhetsgodkjenninger er nødvendig, må brukere få admingodkjenning før enhetene kan koble seg til organisasjonens ressurser.",
+    "approvalsBannerButtonText": "Lær mer",
    "siteCreate": "Opprett område",
    "siteCreateDescription2": "Følg trinnene nedenfor for å opprette og koble til et nytt område",
    "siteCreateDescription": "Opprett et nytt nettsted for å koble til ressurser",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Søk etter roller...",
    "accessRolesAdd": "Legg til rolle",
    "accessRoleDelete": "Slett rolle",
+    "accessApprovalsManage": "Behandle godkjenninger",
+    "accessApprovalsDescription": "Se og administrer ventende godkjenninger for tilgang til denne organisasjonen",
    "description": "Beskrivelse",
    "inviteTitle": "Åpne invitasjoner",
    "inviteDescription": "Administrer invitasjoner til andre brukere for å bli med i organisasjonen",
@@ -450,6 +457,18 @@
    "selectDuration": "Velg varighet",
    "selectResource": "Velg ressurs",
    "filterByResource": "Filtrer etter ressurser",
+    "selectApprovalState": "Velg godkjenningsstatus",
+    "filterByApprovalState": "Filtrer etter godkjenningsstatus",
+    "approvalListEmpty": "Ingen godkjenninger",
+    "approvalState": "Godkjennings tilstand",
+    "approve": "Godkjenn",
+    "approved": "Godkjent",
+    "denied": "Avvist",
+    "deniedApproval": "Avslått godkjenning",
+    "all": "Alle",
+    "deny": "Avslå",
+    "viewDetails": "Vis detaljer",
+    "requestingNewDeviceApproval": "forespurt en ny enhet",
    "resetFilters": "Tilbakestill filtre",
    "totalBlocked": "Forespørsler blokkert av Pangolin",
    "totalRequests": "Totalt antall forespørsler",
@@ -729,16 +748,28 @@
    "countries": "Land",
    "accessRoleCreate": "Opprett rolle",
    "accessRoleCreateDescription": "Opprett en ny rolle for å gruppere brukere og administrere deres tillatelser.",
+    "accessRoleEdit": "Rediger rolle",
+    "accessRoleEditDescription": "Rediger rolleinformasjon.",
    "accessRoleCreateSubmit": "Opprett rolle",
    "accessRoleCreated": "Rolle opprettet",
    "accessRoleCreatedDescription": "Rollen er vellykket opprettet.",
    "accessRoleErrorCreate": "Klarte ikke å opprette rolle",
    "accessRoleErrorCreateDescription": "Det oppstod en feil under opprettelse av rollen.",
+    "accessRoleUpdateSubmit": "Oppdater rolle",
+    "accessRoleUpdated": "Rollen oppdatert",
+    "accessRoleUpdatedDescription": "Rollen har blitt oppdatert.",
+    "accessApprovalUpdated": "Godkjenning behandlet",
+    "accessApprovalApprovedDescription": "Sett godkjenningsforespørsel om å godta.",
+    "accessApprovalDeniedDescription": "Sett godkjenningsforespørsel om å nekte.",
+    "accessRoleErrorUpdate": "Kunne ikke oppdatere rolle",
+    "accessRoleErrorUpdateDescription": "Det oppstod en feil under oppdatering av rollen.",
+    "accessApprovalErrorUpdate": "Kunne ikke behandle godkjenning",
+    "accessApprovalErrorUpdateDescription": "Det oppstod en feil under behandling av godkjenningen.",
    "accessRoleErrorNewRequired": "Ny rolle kreves",
    "accessRoleErrorRemove": "Kunne ikke fjerne rolle",
    "accessRoleErrorRemoveDescription": "Det oppstod en feil under fjerning av rollen.",
    "accessRoleName": "Rollenavn",
-    "accessRoleQuestionRemove": "Du er i ferd med å slette rollen {name}. Du kan ikke angre denne handlingen.",
+    "accessRoleQuestionRemove": "Du er ferd med å slette rollen `{name}. Du kan ikke angre denne handlingen.",
    "accessRoleRemove": "Fjern Rolle",
    "accessRoleRemoveDescription": "Fjern en rolle fra organisasjonen",
    "accessRoleRemoveSubmit": "Fjern Rolle",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Denne organisasjonen krever at du bytter passord hver {maxDays} dag.",
    "changePasswordNow": "Bytt passord nå",
    "pincodeAuth": "Autentiseringskode",
-    "pincodeSubmit2": "Send inn kode",
+    "pincodeSubmit2": "Send kode",
    "passwordResetSubmit": "Be om tilbakestilling",
    "passwordResetAlreadyHaveCode": "Skriv inn koden",
    "passwordResetSmtpRequired": "Kontakt din administrator",
    "passwordResetSmtpRequiredDescription": "En passord tilbakestillingskode kreves for å tilbakestille passordet. Kontakt systemansvarlig for assistanse.",
    "passwordBack": "Tilbake til passord",
-    "loginBack": "Gå tilbake til innlogging",
+    "loginBack": "Gå tilbake til innloggingssiden for hovedkontoen",
    "signup": "Registrer deg",
    "loginStart": "Logg inn for å komme i gang",
    "idpOidcTokenValidating": "Validerer OIDC-token",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Oppdater IDP-organisasjon",
    "actionCreateClient": "Opprett Klient",
    "actionDeleteClient": "Slett klient",
+    "actionArchiveClient": "Arkiver klient",
+    "actionUnarchiveClient": "Fjern arkivering klient",
+    "actionBlockClient": "Blokker kunde",
+    "actionUnblockClient": "Avblokker klient",
    "actionUpdateClient": "Oppdater klient",
    "actionListClients": "List klienter",
    "actionGetClient": "Hent klient",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Søker...",
    "create": "Opprett",
    "orgs": "Organisasjoner",
-    "loginError": "En feil oppstod under innlogging",
-    "loginRequiredForDevice": "Innlogging kreves for å godkjenne enheten.",
+    "loginError": "En uventet feil oppstod. Vennligst prøv igjen.",
+    "loginRequiredForDevice": "Innlogging er nødvendig for enheten din.",
    "passwordForgot": "Glemt passordet ditt?",
    "otpAuth": "Tofaktorautentisering",
    "otpAuthDescription": "Skriv inn koden fra autentiseringsappen din eller en av dine engangs reservekoder.",
    "otpAuthSubmit": "Send inn kode",
    "idpContinue": "Eller fortsett med",
-    "otpAuthBack": "Tilbake til innlogging",
+    "otpAuthBack": "Tilbake til passord",
    "navbar": "Navigasjonsmeny",
    "navbarDescription": "Hovednavigasjonsmeny for applikasjonen",
    "navbarDocsLink": "Dokumentasjon",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Oversikt",
    "sidebarHome": "Hjem",
    "sidebarSites": "Områder",
+    "sidebarApprovals": "Godkjenningsforespørsler",
    "sidebarResources": "Ressurser",
    "sidebarProxyResources": "Offentlig",
    "sidebarClientResources": "Privat",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Identitetsleverandører",
    "sidebarLicense": "Lisens",
    "sidebarClients": "Klienter",
-    "sidebarUserDevices": "Brukere",
+    "sidebarUserDevices": "Bruker Enheter",
    "sidebarMachineClients": "Maskiner",
    "sidebarDomains": "Domener",
    "sidebarGeneral": "Administrer",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "En feil oppstod under opprettelsen av serveradministratorkontoen.",
    "certificateStatus": "Sertifikatstatus",
    "loading": "Laster inn",
+    "loadingAnalytics": "Laster inn analyser",
    "restart": "Start på nytt",
    "domains": "Domener",
    "domainsDescription": "Opprett og behandle domener som er tilgjengelige i organisasjonen",
@@ -1304,6 +1341,7 @@
    "refreshError": "Klarte ikke å oppdatere data",
    "verified": "Verifisert",
    "pending": "Venter",
+    "pendingApproval": "Venter på godkjenning",
    "sidebarBilling": "Fakturering",
    "billing": "Fakturering",
    "orgBillingDescription": "Administrer faktureringsinformasjon og abonnementer",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Oversikt over bruksgrenser",
    "billingMonitorUsage": "Overvåk bruken din i forhold til konfigurerte grenser. Hvis du trenger økte grenser, vennligst kontakt support@pangolin.net.",
    "billingDataUsage": "Databruk",
-    "billingOnlineTime": "Online tid for nettsteder",
-    "billingUsers": "Aktive brukere",
-    "billingDomains": "Aktive domener",
-    "billingRemoteExitNodes": "Aktive selvstyrte noder",
+    "billingSites": "Områder",
+    "billingUsers": "Brukere",
+    "billingDomains": "Domener",
+    "billingRemoteExitNodes": "Eksterne Noder",
    "billingNoLimitConfigured": "Ingen grense konfigurert",
    "billingEstimatedPeriod": "Estimert faktureringsperiode",
    "billingIncludedUsage": "Inkludert Bruk",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Mislyktes å hente portal URL",
    "billingPortalError": "Portalfeil",
    "billingDataUsageInfo": "Du er ladet for all data som overføres gjennom dine sikre tunneler når du er koblet til skyen. Dette inkluderer både innkommende og utgående trafikk på alle dine nettsteder. Når du når grensen din, vil sidene koble fra til du oppgraderer planen eller reduserer bruken. Data belastes ikke ved bruk av EK-grupper.",
-    "billingOnlineTimeInfo": "Du er ladet på hvor lenge sidene dine forblir koblet til skyen. For eksempel tilsvarer 44,640 minutter ett nettsted som går 24/7 i en hel måned. Når du når grensen din, vil sidene koble fra til du oppgraderer planen eller reduserer bruken. Tid belastes ikke når du bruker noder.",
-    "billingUsersInfo": "Du lades for hver bruker i organisasjonen. Fakturering beregnes daglig basert på antall aktive brukerkontoer i dine org.",
-    "billingDomainInfo": "Du lades for hvert domene i organisasjonen. Fakturering beregnes daglig basert på antallet aktive domenekontoer i din org.",
-    "billingRemoteExitNodesInfo": "Du lades for hver håndterte node i organisasjonen. Fakturering beregnes daglig basert på antallet aktive håndterte noder i dine org.",
+    "billingSInfo": "Hvor mange nettsteder du kan bruke",
+    "billingUsersInfo": "Hvor mange brukere du kan bruke",
+    "billingDomainInfo": "Hvor mange domener du kan bruke",
+    "billingRemoteExitNodesInfo": "Hvor mange fjernnoder du kan bruke",
+    "billingLicenseKeys": "Lisensnøkler",
+    "billingLicenseKeysDescription": "Administrer dine lisensnøkkelabonnementer",
+    "billingLicenseSubscription": "Lisens abonnement",
+    "billingInactive": "Inaktiv",
+    "billingLicenseItem": "Lisens artikkel",
+    "billingQuantity": "Antall",
+    "billingTotal": "totalt",
+    "billingModifyLicenses": "Endre lisensabonnement",
    "domainNotFound": "Domene ikke funnet",
    "domainNotFoundDescription": "Denne ressursen er deaktivert fordi domenet ikke lenger eksisterer i systemet vårt. Vennligst angi et nytt domene for denne ressursen.",
    "failed": "Mislyktes",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Sikkerhetsnøkkel fjernet",
    "securityKeyRemoveError": "Klarte ikke å fjerne sikkerhetsnøkkel",
    "securityKeyLoadError": "Klarte ikke å laste inn sikkerhetsnøkler",
-    "securityKeyLogin": "Fortsett med sikkerhetsnøkkel",
+    "securityKeyLogin": "Bruk sikkerhetsnøkkel",
    "securityKeyAuthError": "Klarte ikke å autentisere med sikkerhetsnøkkel",
    "securityKeyRecommendation": "Registrer en reservesikkerhetsnøkkel på en annen enhet for å sikre at du alltid har tilgang til kontoen din.",
    "registering": "Registrerer...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Portnummer er påkrevd for ikke-HTTP-ressurser",
    "resourcePortNotAllowed": "Portnummer skal ikke angis for HTTP-ressurser",
    "billingPricingCalculatorLink": "Pris Kalkulator",
+    "billingYourPlan": "Din funksjonsplan",
+    "billingViewOrModifyPlan": "Vis eller endre gjeldende abonnement",
+    "billingViewPlanDetails": "Se Planleggings detaljer",
+    "billingUsageAndLimits": "Bruk og grenser",
+    "billingViewUsageAndLimits": "Se planets grenser og gjeldende bruk",
+    "billingCurrentUsage": "Gjeldende bruk",
+    "billingMaximumLimits": "Maks antall grenser",
+    "billingRemoteNodes": "Eksterne Noder",
+    "billingUnlimited": "Ubegrenset",
+    "billingPaidLicenseKeys": "Betalt lisensnøkler",
+    "billingManageLicenseSubscription": "Administrer abonnementet for betalte lisensnøkler selv hostet",
+    "billingCurrentKeys": "Nåværende nøkler",
+    "billingModifyCurrentPlan": "Endre gjeldende plan",
+    "billingConfirmUpgrade": "Bekreft oppgradering",
+    "billingConfirmDowngrade": "Bekreft nedgradering",
+    "billingConfirmUpgradeDescription": "Du er i ferd med å oppgradere abonnementet ditt. Gå gjennom de nye grensene og pris nedenfor.",
+    "billingConfirmDowngradeDescription": "Du er i ferd med å nedgradere planen din. Gå gjennom de nye grensene og pris nedenfor.",
+    "billingPlanIncludes": "Plan Inkluderer",
+    "billingProcessing": "Behandler...",
+    "billingConfirmUpgradeButton": "Bekreft oppgradering",
+    "billingConfirmDowngradeButton": "Bekreft nedgradering",
+    "billingLimitViolationWarning": "Bruk overbelastede grenser for ny plan",
+    "billingLimitViolationDescription": "Gjeldende bruk overskrider grensene for denne planen. Etter nedgradering vil alle handlinger deaktiveres inntil du reduserer bruken innenfor de nye grensene. Vennligst se igjennom funksjonene under som er i øyeblikket over grensene. Begrensninger i vold:",
+    "billingFeatureLossWarning": "Fremhev tilgjengelig varsel",
+    "billingFeatureLossDescription": "Ved å nedgradere vil funksjoner som ikke er tilgjengelige i den nye planen automatisk bli deaktivert. Noen innstillinger og konfigurasjoner kan gå tapt. Vennligst gjennomgå prismatrisen for å forstå hvilke funksjoner som ikke lenger vil være tilgjengelige.",
+    "billingUsageExceedsLimit": "Gjeldende bruk ({current}) overskrider grensen ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Jeg godtar",
        "termsOfService": "brukervilkårene",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Sunt intervall",
    "timeoutSeconds": "Tidsavbrudd (sek)",
    "timeIsInSeconds": "Tid er i sekunder",
+    "requireDeviceApproval": "Krev enhetsgodkjenning",
+    "requireDeviceApprovalDescription": "Brukere med denne rollen trenger nye enheter godkjent av en admin før de kan koble seg og få tilgang til ressurser.",
    "retryAttempts": "Forsøk på nytt",
    "expectedResponseCodes": "Forventede svarkoder",
    "expectedResponseCodesDescription": "HTTP-statuskode som indikerer sunn status. Hvis den blir stående tom, regnes 200-300 som sunn.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Ingen interne ressurser funnet.",
    "resourcesTableDestination": "Destinasjon",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias adresse",
+    "resourcesTableAliasAddressInfo": "Denne adressen er en del av organisasjonens undernettverk. Den brukes til å løse aliasposter ved hjelp av intern DNS-oppløsning.",
    "resourcesTableClients": "Klienter",
    "resourcesTableAndOnlyAccessibleInternally": "og er kun tilgjengelig internt når de er koblet til med en klient.",
    "resourcesTableNoTargets": "Ingen mål",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Tilbake til standard innlogging",
    "orgAuthNoAccount": "Har du ikke konto?",
    "subscriptionRequiredToUse": "Et abonnement er påkrevd for å bruke denne funksjonen.",
+    "mustUpgradeToUse": "Du må oppgradere ditt abonnement for å bruke denne funksjonen.",
+    "subscriptionRequiredTierToUse": "Denne funksjonen krever <tierLink>{tier}</tierLink> eller høyere.",
+    "upgradeToTierToUse": "Oppgrader til <tierLink>{tier}</tierLink> eller høyere for å bruke denne funksjonen.",
+    "subscriptionTierTier1": "Hjem",
+    "subscriptionTierTier2": "Lag",
+    "subscriptionTierTier3": "Forretninger",
+    "subscriptionTierEnterprise": "Bedrift",
    "idpDisabled": "Identitetsleverandører er deaktivert.",
    "orgAuthPageDisabled": "Informasjons-siden for organisasjon er deaktivert.",
    "domainRestartedDescription": "Domene-verifiseringen ble startet på nytt",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Få en lisens",
+        "description": "Velg en plan og fortell oss hvordan du planlegger å bruke Pangolin.",
+        "chooseTier": "Velg din funksjonsplan",
+        "viewPricingLink": "Se prising, egenskaper og grenser",
+        "tiers": {
+            "starter": {
+                "title": "Begynner",
+                "description": "Enterprise features, 25 brukere, 25 sitater og støtte fra fellesskapet."
+            },
+            "scale": {
+                "title": "Skala",
+                "description": "Enterprise features, 50 brukere, 50 nettsteder og prioritetsstøtte."
+            }
+        },
+        "personalUseOnly": "Kun personlig bruk (gratis lisens - ingen utsjekking)",
+        "buttons": {
+            "continueToCheckout": "Fortsett til kassen"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Feil ved utsjekk",
+                "description": "Kan ikke starte kassen. Prøv på nytt."
+            }
+        }
+    },
    "priority": "Prioritet",
    "priorityDescription": "Høyere prioriterte ruter evalueres først. Prioritet = 100 betyr automatisk bestilling (systembeslutninger). Bruk et annet nummer til å håndheve manuell prioritet.",
    "instanceName": "Forekomst navn",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
    "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
    "licenseRequiredToUse": "En Enterprise lisens er påkrevd for å bruke denne funksjonen.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen.",
    "certResolver": "Sertifikat løser",
    "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
    "selectCertResolver": "Velg sertifikatløser",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Kode må inneholde 9 tegn (f.eks A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ugyldig eller utløpt kode",
    "deviceCodeVerifyFailed": "Klarte ikke å bekrefte enhetskoden",
+    "deviceCodeValidating": "Validerer enhetskode...",
+    "deviceCodeVerifying": "Bekrefter enhetens godkjennelse...",
    "signedInAs": "Logget inn som",
    "deviceCodeEnterPrompt": "Skriv inn koden som vises på enheten",
    "continue": "Fortsett",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Tilgang til alle organisasjoner din konto har tilgang til",
    "deviceAuthorize": "Autoriser {applicationName}",
    "deviceConnected": "Enhet tilkoblet!",
-    "deviceAuthorizedMessage": "Enhet er autorisert for tilgang til kontoen din.",
+    "deviceAuthorizedMessage": "Enheten er autorisert for tilgang til kontoen. Vennligst gå tilbake til klientapplikasjonen.",
    "pangolinCloud": "Pangolin Sky",
    "viewDevices": "Vis enheter",
    "viewDevicesDescription": "Administrer tilkoblede enheter",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Ikke du? Bruk en annen konto.",
    "deviceLoginDeviceRequestingAccessToAccount": "En enhet ber om tilgang til denne kontoen.",
+    "loginSelectAuthenticationMethod": "Velg en autentiseringsmetode for å fortsette.",
    "noData": "Ingen data",
    "machineClients": "Maskinklienter",
    "install": "Installer",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Tjenesten er midlertidig utilgjengelig",
    "maintenanceScreenMessage": "Vi opplever for øyeblikket tekniske problemer. Vennligst sjekk igjen snart.",
    "maintenanceScreenEstimatedCompletion": "Estimert ferdigstillelse:",
-    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig"
+    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig",
+    "available": "Tilgjengelig",
+    "archived": "Arkivert",
+    "noArchivedDevices": "Ingen arkiverte enheter funnet",
+    "deviceArchived": "Enhet arkivert",
+    "deviceArchivedDescription": "Enheten er blitt arkivert.",
+    "errorArchivingDevice": "Feil ved arkivering av enhet",
+    "failedToArchiveDevice": "Kunne ikke arkivere enhet",
+    "deviceQuestionArchive": "Er du sikker på at du vil arkivere denne enheten?",
+    "deviceMessageArchive": "Enheten blir arkivert og fjernet fra listen over aktive enheter.",
+    "deviceArchiveConfirm": "Arkiver enhet",
+    "archiveDevice": "Arkiver enhet",
+    "archive": "Arkiv",
+    "deviceUnarchived": "Enheten er uarkivert",
+    "deviceUnarchivedDescription": "Enheten er blitt avarkivert.",
+    "errorUnarchivingDevice": "Feil ved arkivering av enhet",
+    "failedToUnarchiveDevice": "Kunne ikke fjerne arkivere enheten",
+    "unarchive": "Avarkiver",
+    "archiveClient": "Arkiver klient",
+    "archiveClientQuestion": "Er du sikker på at du vil arkivere denne klienten?",
+    "archiveClientMessage": "Klienten arkiveres og fjernes fra listen over aktive klienter.",
+    "archiveClientConfirm": "Arkiver klient",
+    "blockClient": "Blokker kunde",
+    "blockClientQuestion": "Er du sikker på at du vil blokkere denne klienten?",
+    "blockClientMessage": "Enheten blir tvunget til å koble fra hvis den er koblet til. Du kan fjerne blokkeringen av enheten senere.",
+    "blockClientConfirm": "Blokker kunde",
+    "active": "Aktiv",
+    "usernameOrEmail": "Brukernavn eller e-post",
+    "selectYourOrganization": "Velg din organisasjon",
+    "signInTo": "Logg inn på",
+    "signInWithPassword": "Fortsett med passord",
+    "noAuthMethodsAvailable": "Ingen autentiseringsmetoder er tilgjengelige for denne organisasjonen.",
+    "enterPassword": "Angi ditt passord",
+    "enterMfaCode": "Angi koden fra din autentiseringsapp",
+    "securityKeyRequired": "Vennligst bruk sikkerhetsnøkkelen til å logge på.",
+    "needToUseAnotherAccount": "Trenger du å bruke en annen konto?",
+    "loginLegalDisclaimer": "Ved å klikke på knappene nedenfor, erkjenner du at du har lest, forstår, og godtar <termsOfService>Vilkår for bruk</termsOfService> og <privacyPolicy>for Personvernerklæring</privacyPolicy>.",
+    "termsOfService": "Vilkår for bruk",
+    "privacyPolicy": "Retningslinjer for personvern",
+    "userNotFoundWithUsername": "Ingen bruker med det brukernavnet funnet.",
+    "verify": "Verifiser",
+    "signIn": "Logg inn",
+    "forgotPassword": "Glemt passord?",
+    "orgSignInTip": "Hvis du har logget inn før, kan du skrive inn brukernavnet eller e-postadressen ovenfor for å autentisere med organisasjonens identitetstjeneste i stedet. Det er enklere!",
+    "continueAnyway": "Fortsett likevel",
+    "dontShowAgain": "Ikke vis igjen",
+    "orgSignInNotice": "Visste du?",
+    "signupOrgNotice": "Prøver å logge inn?",
+    "signupOrgTip": "Prøver du å logge inn gjennom din organisasjons identitetsleverandør?",
+    "signupOrgLink": "Logg inn eller registrer deg med organisasjonen din i stedet",
+    "verifyEmailLogInWithDifferentAccount": "Bruk en annen konto",
+    "logIn": "Logg inn",
+    "deviceInformation": "Enhetens informasjon",
+    "deviceInformationDescription": "Informasjon om enheten og agenten",
+    "deviceSecurity": "Enhetens sikkerhet",
+    "deviceSecurityDescription": "Sikkerhetsstillings informasjon om utstyr",
+    "platform": "Plattform",
+    "macosVersion": "macOS versjon",
+    "windowsVersion": "Windows versjon",
+    "iosVersion": "iOS Versjon",
+    "androidVersion": "Android versjon",
+    "osVersion": "OS versjon",
+    "kernelVersion": "Kjerne versjon",
+    "deviceModel": "Enhets modell",
+    "serialNumber": "Serienummer",
+    "hostname": "Hostname",
+    "firstSeen": "Først sett",
+    "lastSeen": "Sist sett",
+    "biometricsEnabled": "Biometri aktivert",
+    "diskEncrypted": "Disk kryptert",
+    "firewallEnabled": "Brannmur aktivert",
+    "autoUpdatesEnabled": "Automatiske oppdateringer aktivert",
+    "tpmAvailable": "TPM tilgjengelig",
+    "windowsAntivirusEnabled": "Antivirus aktivert",
+    "macosSipEnabled": "System Integritetsbeskyttelse (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Brannmur Usynlig Modus",
+    "linuxAppArmorEnabled": "Rustning",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Vis enhetsinformasjon og innstillinger",
+    "devicePendingApprovalDescription": "Denne enheten venter på godkjenning",
+    "deviceBlockedDescription": "Denne enheten er blokkert. Det kan ikke kobles til noen ressurser med mindre de ikke blir blokkert.",
+    "unblockClient": "Avblokker klient",
+    "unblockClientDescription": "Enheten har blitt blokkert",
+    "unarchiveClient": "Fjern arkivering klient",
+    "unarchiveClientDescription": "Enheten er arkivert",
+    "block": "Blokker",
+    "unblock": "Avblokker",
+    "deviceActions": "Enhetens handlinger",
+    "deviceActionsDescription": "Administrer enhetsstatus og tilgang",
+    "devicePendingApprovalBannerDescription": "Denne enheten venter på godkjenning. Den kan ikke koble til ressurser før den er godkjent.",
+    "connected": "Tilkoblet",
+    "disconnected": "Frakoblet",
+    "approvalsEmptyStateTitle": "Enhetsgodkjenninger er ikke aktivert",
+    "approvalsEmptyStateDescription": "Aktivere godkjenninger av enheter for at roller må godkjennes av admin før brukere kan koble til nye enheter.",
+    "approvalsEmptyStateStep1Title": "Gå til roller",
+    "approvalsEmptyStateStep1Description": "Naviger til organisasjonens roller innstillinger for å konfigurere enhetsgodkjenninger.",
+    "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
+    "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
+    "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
+    "approvalsEmptyStateButtonText": "Administrer Roller"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -18,6 +18,8 @@
    "componentsMember": "Je bent lid van {count, plural, =0 {geen organisatie} one {één organisatie} other {# organisaties}}.",
    "componentsInvalidKey": "Ongeldige of verlopen licentiesleutels gedetecteerd. Volg de licentievoorwaarden om alle functies te blijven gebruiken.",
    "dismiss": "Uitschakelen",
+    "subscriptionViolationMessage": "U overschrijdt uw huidige abonnement. Corrigeer het probleem door sites, gebruikers of andere bronnen te verwijderen om binnen uw plan te blijven.",
+    "subscriptionViolationViewBilling": "Facturering bekijken",
    "componentsLicenseViolation": "Licentie overtreding: Deze server gebruikt {usedSites} sites die de gelicentieerde limiet van {maxSites} sites overschrijden. Volg de licentievoorwaarden om door te gaan met het gebruik van alle functies.",
    "componentsSupporterMessage": "Bedankt voor het ondersteunen van Pangolin als {tier}!",
    "inviteErrorNotValid": "Het spijt ons, maar de uitnodiging die je probeert te bezoeken is niet geaccepteerd of is niet meer geldig.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Verbind elk netwerk",
    "sitesBannerDescription": "Een site is een verbinding met een extern netwerk waarmee Pangolin toegang biedt tot bronnen, zowel openbaar als privé, aan gebruikers overal. Installeer de sitedatacenterconnector (Newt) overal waar je een binaire of container kunt uitvoeren om de verbinding tot stand te brengen.",
    "sitesBannerButtonText": "Site installeren",
+    "approvalsBannerTitle": "Toegang tot het apparaat goedkeuren of weigeren",
+    "approvalsBannerDescription": "Bekijk en keur toestelverzoeken goed of weiger toegang van gebruikers. Wanneer apparaatgoedkeuringen vereist zijn, moeten gebruikers de goedkeuring van beheerders krijgen voordat hun apparaten verbinding kunnen maken met de bronnen van uw organisatie.",
+    "approvalsBannerButtonText": "Meer informatie",
    "siteCreate": "Site maken",
    "siteCreateDescription2": "Volg de onderstaande stappen om een nieuwe site aan te maken en te verbinden",
    "siteCreateDescription": "Maak een nieuwe site aan om bronnen te verbinden",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Rollen zoeken...",
    "accessRolesAdd": "Rol toevoegen",
    "accessRoleDelete": "Verwijder rol",
+    "accessApprovalsManage": "Goedkeuringen beheren",
+    "accessApprovalsDescription": "Bekijk en beheer openstaande goedkeuringen voor toegang tot deze organisatie",
    "description": "Beschrijving",
    "inviteTitle": "Open uitnodigingen",
    "inviteDescription": "Beheer uitnodigingen voor andere gebruikers om deel te nemen aan de organisatie",
@@ -450,6 +457,18 @@
    "selectDuration": "Selecteer duur",
    "selectResource": "Selecteer Document",
    "filterByResource": "Filter op pagina",
+    "selectApprovalState": "Selecteer goedkeuringsstatus",
+    "filterByApprovalState": "Filter op goedkeuringsstatus",
+    "approvalListEmpty": "Geen goedkeuringen",
+    "approvalState": "Goedkeuring status",
+    "approve": "Goedkeuren",
+    "approved": "Goedgekeurd",
+    "denied": "Geweigerd",
+    "deniedApproval": "Geweigerde goedkeuring",
+    "all": "Alles",
+    "deny": "Weigeren",
+    "viewDetails": "Details bekijken",
+    "requestingNewDeviceApproval": "heeft een nieuw apparaat aangevraagd",
    "resetFilters": "Filters resetten",
    "totalBlocked": "Verzoeken geblokkeerd door Pangolin",
    "totalRequests": "Totaal verzoeken",
@@ -729,16 +748,28 @@
    "countries": "Landen",
    "accessRoleCreate": "Rol aanmaken",
    "accessRoleCreateDescription": "Maak een nieuwe rol aan om gebruikers te groeperen en hun rechten te beheren.",
+    "accessRoleEdit": "Rol bewerken",
+    "accessRoleEditDescription": "Bewerk rol informatie.",
    "accessRoleCreateSubmit": "Rol aanmaken",
    "accessRoleCreated": "Rol aangemaakt",
    "accessRoleCreatedDescription": "De rol is succesvol aangemaakt.",
    "accessRoleErrorCreate": "Rol aanmaken mislukt",
    "accessRoleErrorCreateDescription": "Fout opgetreden tijdens het aanmaken van de rol.",
+    "accessRoleUpdateSubmit": "Rol bijwerken",
+    "accessRoleUpdated": "Rol bijgewerkt",
+    "accessRoleUpdatedDescription": "De rol is succesvol bijgewerkt.",
+    "accessApprovalUpdated": "Afgewerkt met goedkeuring",
+    "accessApprovalApprovedDescription": "Stel het goedkeuringsverzoek in op goedkeuring.",
+    "accessApprovalDeniedDescription": "Stel de beslissing over het goedkeuringsverzoek in als geweigerd.",
+    "accessRoleErrorUpdate": "Bijwerken van rol mislukt",
+    "accessRoleErrorUpdateDescription": "Fout opgetreden tijdens het bijwerken van de rol.",
+    "accessApprovalErrorUpdate": "Kan goedkeuring niet verwerken",
+    "accessApprovalErrorUpdateDescription": "Er is een fout opgetreden bij het verwerken van de goedkeuring.",
    "accessRoleErrorNewRequired": "Nieuwe rol is vereist",
    "accessRoleErrorRemove": "Rol verwijderen mislukt",
    "accessRoleErrorRemoveDescription": "Er is een fout opgetreden tijdens het verwijderen van de rol.",
    "accessRoleName": "Rol naam",
-    "accessRoleQuestionRemove": "U staat op het punt de {name} rol te verwijderen. U kunt deze actie niet ongedaan maken.",
+    "accessRoleQuestionRemove": "Je staat op het punt de `{name}` rol te verwijderen. Je kunt deze actie niet ongedaan maken.",
    "accessRoleRemove": "Rol verwijderen",
    "accessRoleRemoveDescription": "Verwijder een rol van de organisatie",
    "accessRoleRemoveSubmit": "Rol verwijderen",
@@ -874,7 +905,7 @@
    "inviteAlready": "Het lijkt erop dat je bent uitgenodigd!",
    "inviteAlreadyDescription": "Om de uitnodiging te accepteren, moet je inloggen of een account aanmaken.",
    "signupQuestion": "Heeft u al een account?",
-    "login": "Inloggen",
+    "login": "Log in",
    "resourceNotFound": "Bron niet gevonden",
    "resourceNotFoundDescription": "De bron die u probeert te benaderen bestaat niet.",
    "pincodeRequirementsLength": "Pincode moet precies 6 cijfers zijn",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Neem contact op met uw beheerder",
    "passwordResetSmtpRequiredDescription": "Er is een wachtwoord reset code nodig om uw wachtwoord opnieuw in te stellen. Neem contact op met uw beheerder voor hulp.",
    "passwordBack": "Terug naar wachtwoord",
-    "loginBack": "Ga terug naar login",
+    "loginBack": "Ga terug naar de hoofdinlogpagina",
    "signup": "Registreer nu",
    "loginStart": "Log in om te beginnen",
    "idpOidcTokenValidating": "Valideer OIDC-token",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "IDP-org bijwerken",
    "actionCreateClient": "Client aanmaken",
    "actionDeleteClient": "Verwijder klant",
+    "actionArchiveClient": "Archiveer client",
+    "actionUnarchiveClient": "Dearchiveer client",
+    "actionBlockClient": "Blokkeer klant",
+    "actionUnblockClient": "Deblokkeer client",
    "actionUpdateClient": "Klant bijwerken",
    "actionListClients": "Lijst klanten",
    "actionGetClient": "Client ophalen",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Zoeken...",
    "create": "Aanmaken",
    "orgs": "Organisaties",
-    "loginError": "Er is een fout opgetreden tijdens het inloggen",
-    "loginRequiredForDevice": "Inloggen is vereist om je apparaat te verifiëren.",
+    "loginError": "Er is een onverwachte fout opgetreden. Probeer het opnieuw.",
+    "loginRequiredForDevice": "Inloggen is vereist voor je apparaat.",
    "passwordForgot": "Wachtwoord vergeten?",
    "otpAuth": "Tweestapsverificatie verificatie",
    "otpAuthDescription": "Voer de code van je authenticator-app of een van je reservekopiecodes voor het eenmalig gebruik in.",
    "otpAuthSubmit": "Code indienen",
    "idpContinue": "Of ga verder met",
-    "otpAuthBack": "Terug naar inloggen",
+    "otpAuthBack": "Terug naar wachtwoord",
    "navbar": "Navigatiemenu",
    "navbarDescription": "Hoofd navigatie menu voor de applicatie",
    "navbarDocsLink": "Documentatie",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Overzicht.",
    "sidebarHome": "Startpagina",
    "sidebarSites": "Werkruimtes",
+    "sidebarApprovals": "Goedkeuringsverzoeken",
    "sidebarResources": "Bronnen",
    "sidebarProxyResources": "Openbaar",
    "sidebarClientResources": "Privé",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Identiteit aanbieders",
    "sidebarLicense": "Licentie",
    "sidebarClients": "Clienten",
-    "sidebarUserDevices": "Gebruikers",
+    "sidebarUserDevices": "Gebruiker Apparaten",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domeinen",
    "sidebarGeneral": "Beheren",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Er is een fout opgetreden bij het maken van het serverbeheerdersaccount.",
    "certificateStatus": "Certificaatstatus",
    "loading": "Bezig met laden",
+    "loadingAnalytics": "Laden van Analytics",
    "restart": "Herstarten",
    "domains": "Domeinen",
    "domainsDescription": "Maak en beheer domeinen die beschikbaar zijn in de organisatie",
@@ -1304,6 +1341,7 @@
    "refreshError": "Het vernieuwen van gegevens is mislukt",
    "verified": "Gecontroleerd",
    "pending": "In afwachting",
+    "pendingApproval": "Wachten op goedkeuring",
    "sidebarBilling": "Facturering",
    "billing": "Facturering",
    "orgBillingDescription": "Beheer factureringsinformatie en abonnementen",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Overzicht gebruikslimieten",
    "billingMonitorUsage": "Houd uw gebruik in de gaten ten opzichte van de ingestelde limieten. Als u verhoogde limieten nodig heeft, neem dan contact met ons op support@pangolin.net.",
    "billingDataUsage": "Gegevensgebruik",
-    "billingOnlineTime": "Site Online Tijd",
-    "billingUsers": "Actieve Gebruikers",
-    "billingDomains": "Actieve Domeinen",
-    "billingRemoteExitNodes": "Actieve Zelfgehoste Nodes",
+    "billingSites": "Sites",
+    "billingUsers": "Gebruikers",
+    "billingDomains": "Domeinen",
+    "billingRemoteExitNodes": "Externe knooppunten",
    "billingNoLimitConfigured": "Geen limiet ingesteld",
    "billingEstimatedPeriod": "Geschatte Facturatie Periode",
    "billingIncludedUsage": "Opgenomen Gebruik",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Niet gelukt om portal URL te krijgen",
    "billingPortalError": "Portal Fout",
    "billingDataUsageInfo": "U bent in rekening gebracht voor alle gegevens die via uw beveiligde tunnels via de cloud worden verzonden. Dit omvat zowel inkomende als uitgaande verkeer over al uw sites. Wanneer u uw limiet bereikt zullen uw sites de verbinding verbreken totdat u uw abonnement upgradet of het gebruik vermindert. Gegevens worden niet in rekening gebracht bij het gebruik van knooppunten.",
-    "billingOnlineTimeInfo": "U wordt in rekening gebracht op basis van hoe lang uw sites verbonden blijven met de cloud. Bijvoorbeeld 44,640 minuten is gelijk aan één site met 24/7 voor een volledige maand. Wanneer u uw limiet bereikt, zal de verbinding tussen uw sites worden verbroken totdat u een upgrade van uw abonnement uitvoert of het gebruik vermindert. Tijd wordt niet belast bij het gebruik van knooppunten.",
-    "billingUsersInfo": "U bent in rekening gebracht voor elke gebruiker in de organisatie. Facturering wordt dagelijks berekend op basis van het aantal actieve gebruikersaccounts in uw org.",
-    "billingDomainInfo": "U wordt voor elk domein in de organisatie in rekening gebracht. Facturering wordt dagelijks berekend op basis van het aantal actieve domeinaccounts in uw org.",
-    "billingRemoteExitNodesInfo": "U bent belast voor elke beheerde node in de organisatie. Facturering wordt dagelijks berekend op basis van het aantal actieve beheerde knooppunten in uw org.",
+    "billingSInfo": "Hoeveel sites u kunt gebruiken",
+    "billingUsersInfo": "Hoeveel gebruikers je kan gebruiken",
+    "billingDomainInfo": "Hoeveel domeinen je kunt gebruiken",
+    "billingRemoteExitNodesInfo": "Hoeveel externe nodes je kunt gebruiken",
+    "billingLicenseKeys": "Licentie Sleutels",
+    "billingLicenseKeysDescription": "Beheer uw licentiesleutelabonnementen",
+    "billingLicenseSubscription": "Licentie abonnement",
+    "billingInactive": "Inactief",
+    "billingLicenseItem": "Licentie artikel",
+    "billingQuantity": "Aantal",
+    "billingTotal": "totaal",
+    "billingModifyLicenses": "Licentieabonnement wijzigen",
    "domainNotFound": "Domein niet gevonden",
    "domainNotFoundDescription": "Deze bron is uitgeschakeld omdat het domein niet langer in ons systeem bestaat. Stel een nieuw domein in voor deze bron.",
    "failed": "Mislukt",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Beveiligingssleutel succesvol verwijderd",
    "securityKeyRemoveError": "Fout bij verwijderen van beveiligingssleutel",
    "securityKeyLoadError": "Fout bij laden van beveiligingssleutels",
-    "securityKeyLogin": "Doorgaan met beveiligingssleutel",
+    "securityKeyLogin": "Gebruik beveiligingssleutel",
    "securityKeyAuthError": "Fout bij authenticatie met beveiligingssleutel",
    "securityKeyRecommendation": "Overweeg om een andere beveiligingssleutel te registreren op een ander apparaat om ervoor te zorgen dat u niet buitengesloten raakt van uw account.",
    "registering": "Registreren...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Poortnummer is vereist voor niet-HTTP-bronnen",
    "resourcePortNotAllowed": "Poortnummer mag niet worden ingesteld voor HTTP-bronnen",
    "billingPricingCalculatorLink": "Prijs Calculator",
+    "billingYourPlan": "Uw abonnement",
+    "billingViewOrModifyPlan": "Bekijk of wijzig uw huidige abonnement",
+    "billingViewPlanDetails": "Abonnementsdetails bekijken",
+    "billingUsageAndLimits": "Gebruik en limieten",
+    "billingViewUsageAndLimits": "Limiet van je abonnement en huidig gebruik bekijken",
+    "billingCurrentUsage": "Huidig gebruik",
+    "billingMaximumLimits": "Maximaal aantal limieten",
+    "billingRemoteNodes": "Externe knooppunten",
+    "billingUnlimited": "Onbeperkt",
+    "billingPaidLicenseKeys": "Betaalde licentiesleutels",
+    "billingManageLicenseSubscription": "Beheer je abonnement voor betaalde zelf gehoste licentiesleutels",
+    "billingCurrentKeys": "Huidige toetsen",
+    "billingModifyCurrentPlan": "Huidig plan wijzigen",
+    "billingConfirmUpgrade": "Bevestig Upgrade",
+    "billingConfirmDowngrade": "Downgraden bevestigen",
+    "billingConfirmUpgradeDescription": "U staat op het punt uw abonnement te upgraden. Controleer de nieuwe limieten en prijzen hieronder.",
+    "billingConfirmDowngradeDescription": "U staat op het punt om uw abonnement te downgraden. Controleer de nieuwe limieten en prijzen hieronder.",
+    "billingPlanIncludes": "Abonnement bevat",
+    "billingProcessing": "Verwerken...",
+    "billingConfirmUpgradeButton": "Bevestig Upgrade",
+    "billingConfirmDowngradeButton": "Downgraden bevestigen",
+    "billingLimitViolationWarning": "Gebruik Overschrijdt nieuwe Plan Limieten",
+    "billingLimitViolationDescription": "Uw huidige verbruik overschrijdt de limieten van dit plan. Na het downgraden worden alle acties uitgeschakeld totdat u het verbruik vermindert binnen de nieuwe grenzen. Controleer de onderstaande functies die de limieten overschrijden. Beperkingen in overtreding:",
+    "billingFeatureLossWarning": "Kennisgeving beschikbaarheid",
+    "billingFeatureLossDescription": "Door downgraden worden functies die niet beschikbaar zijn in het nieuwe abonnement automatisch uitgeschakeld. Sommige instellingen en configuraties kunnen verloren gaan. Raadpleeg de prijsmatrix om te begrijpen welke functies niet langer beschikbaar zijn.",
+    "billingUsageExceedsLimit": "Huidig gebruik ({current}) overschrijdt limiet ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Ik ga akkoord met de",
        "termsOfService": "servicevoorwaarden",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Gezonde Interval",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Tijd is in seconden",
+    "requireDeviceApproval": "Vereist goedkeuring van apparaat",
+    "requireDeviceApprovalDescription": "Gebruikers met deze rol hebben nieuwe apparaten nodig die door een beheerder zijn goedgekeurd voordat ze verbinding kunnen maken met bronnen en deze kunnen gebruiken.",
    "retryAttempts": "Herhaal Pogingen",
    "expectedResponseCodes": "Verwachte Reactiecodes",
    "expectedResponseCodesDescription": "HTTP-statuscode die gezonde status aangeeft. Indien leeg wordt 200-300 als gezond beschouwd.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Geen interne bronnen gevonden.",
    "resourcesTableDestination": "Bestemming",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias adres",
+    "resourcesTableAliasAddressInfo": "Dit adres is onderdeel van het hulpprogramma subnet van de organisatie. Het wordt gebruikt om aliasrecords op te lossen met behulp van interne DNS-resolutie.",
    "resourcesTableClients": "Clienten",
    "resourcesTableAndOnlyAccessibleInternally": "en zijn alleen intern toegankelijk wanneer verbonden met een client.",
    "resourcesTableNoTargets": "Geen doelen",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
    "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
    "orgAuthSignInWithPangolin": "Log in met Pangolin",
-    "orgAuthSignInToOrg": "Meld u aan bij een organisatie",
+    "orgAuthSignInToOrg": "Log in bij een organisatie",
    "orgAuthSelectOrgTitle": "Organisatie Inloggen",
    "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
    "orgAuthOrgIdPlaceholder": "jouw-organisatie",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Terug naar standaard aanmelden",
    "orgAuthNoAccount": "Nog geen account?",
    "subscriptionRequiredToUse": "Een abonnement is vereist om deze functie te gebruiken.",
+    "mustUpgradeToUse": "U moet uw abonnement upgraden om deze functie te gebruiken.",
+    "subscriptionRequiredTierToUse": "Deze functie vereist <tierLink>{tier}</tierLink> of hoger.",
+    "upgradeToTierToUse": "Upgrade naar <tierLink>{tier}</tierLink> of hoger om deze functie te gebruiken.",
+    "subscriptionTierTier1": "Startpagina",
+    "subscriptionTierTier2": "Team",
+    "subscriptionTierTier3": "Bedrijfsleven",
+    "subscriptionTierEnterprise": "Onderneming",
    "idpDisabled": "Identiteitsaanbieders zijn uitgeschakeld.",
    "orgAuthPageDisabled": "Pagina voor organisatie-authenticatie is uitgeschakeld.",
    "domainRestartedDescription": "Domeinverificatie met succes opnieuw gestart",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Krijg een licentie",
+        "description": "Kies een plan en vertel ons hoe u Pangolin wilt gebruiken.",
+        "chooseTier": "Kies uw abonnement",
+        "viewPricingLink": "Zie prijzen, functies en limieten",
+        "tiers": {
+            "starter": {
+                "title": "Beginner",
+                "description": "Enterprise functies, 25 gebruikers, 25 sites en community ondersteuning."
+            },
+            "scale": {
+                "title": "Schaal",
+                "description": "Enterprise functies, 50 gebruikers, 50 sites en prioriteit ondersteuning."
+            }
+        },
+        "personalUseOnly": "Alleen persoonlijk gebruik (gratis licentie - geen afrekenen)",
+        "buttons": {
+            "continueToCheckout": "Doorgaan naar afrekenen"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Fout bij afrekenen",
+                "description": "Kan de afhandeling niet starten. Probeer het opnieuw."
+            }
+        }
+    },
    "priority": "Prioriteit",
    "priorityDescription": "routes met hogere prioriteit worden eerst geëvalueerd. Prioriteit = 100 betekent automatisch bestellen (systeem beslist de). Gebruik een ander nummer om handmatige prioriteit af te dwingen.",
    "instanceName": "Naam instantie",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
    "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
    "licenseRequiredToUse": "Een Enterprise-licentie is vereist om deze functie te gebruiken.",
+    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken.",
    "certResolver": "Certificaat Resolver",
    "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
    "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Code moet 9 tekens bevatten (bijv. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ongeldige of verlopen code",
    "deviceCodeVerifyFailed": "Apparaatcode verifiëren mislukt",
+    "deviceCodeValidating": "Apparaatcode valideren...",
+    "deviceCodeVerifying": "Apparaatmachtiging verifiëren...",
    "signedInAs": "Ingelogd als",
    "deviceCodeEnterPrompt": "Voer de op het apparaat weergegeven code in",
    "continue": "Doorgaan",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Toegang tot alle organisaties waar uw account toegang tot heeft",
    "deviceAuthorize": "Autoriseer {applicationName}",
    "deviceConnected": "Apparaat verbonden!",
-    "deviceAuthorizedMessage": "Apparaat is gemachtigd om toegang te krijgen tot je account.",
+    "deviceAuthorizedMessage": "Apparaat is gemachtigd om toegang te krijgen tot je account. Ga terug naar de client applicatie.",
    "pangolinCloud": "Pangoline Cloud",
    "viewDevices": "Bekijk apparaten",
    "viewDevicesDescription": "Beheer uw aangesloten apparaten",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Niet u? Gebruik een ander account.",
    "deviceLoginDeviceRequestingAccessToAccount": "Een apparaat vraagt om toegang tot dit account.",
+    "loginSelectAuthenticationMethod": "Selecteer een verificatiemethode om door te gaan.",
    "noData": "Geen gegevens",
    "machineClients": "Machine Clienten",
    "install": "Installeren",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Dienst tijdelijk niet beschikbaar",
    "maintenanceScreenMessage": "We hebben momenteel technische problemen. Probeer het later opnieuw.",
    "maintenanceScreenEstimatedCompletion": "Geschatte voltooiing:",
-    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist"
+    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist",
+    "available": "Beschikbaar",
+    "archived": "Gearchiveerd",
+    "noArchivedDevices": "Geen gearchiveerde apparaten gevonden",
+    "deviceArchived": "Apparaat gearchiveerd",
+    "deviceArchivedDescription": "Het apparaat is met succes gearchiveerd.",
+    "errorArchivingDevice": "Fout bij archiveren apparaat",
+    "failedToArchiveDevice": "Kan apparaat niet archiveren",
+    "deviceQuestionArchive": "Weet u zeker dat u dit apparaat wilt archiveren?",
+    "deviceMessageArchive": "Het apparaat wordt gearchiveerd en verwijderd uit de lijst met actieve apparaten.",
+    "deviceArchiveConfirm": "Archiveer apparaat",
+    "archiveDevice": "Archiveer apparaat",
+    "archive": "Archief",
+    "deviceUnarchived": "Apparaat niet gearchiveerd",
+    "deviceUnarchivedDescription": "Het apparaat is met succes gedearchiveerd.",
+    "errorUnarchivingDevice": "Fout bij dearchiveren van apparaat",
+    "failedToUnarchiveDevice": "Apparaat dearchiveren mislukt",
+    "unarchive": "Dearchiveren",
+    "archiveClient": "Archiveer client",
+    "archiveClientQuestion": "Weet u zeker dat u deze client wilt archiveren?",
+    "archiveClientMessage": "De klant zal worden gearchiveerd en verwijderd uit de lijst met actieve cliënten.",
+    "archiveClientConfirm": "Archiveer client",
+    "blockClient": "Blokkeer klant",
+    "blockClientQuestion": "Weet u zeker dat u deze cliënt wilt blokkeren?",
+    "blockClientMessage": "Het apparaat zal worden gedwongen de verbinding te verbreken als het momenteel is verbonden. U kunt het apparaat later deblokkeren.",
+    "blockClientConfirm": "Blokkeer klant",
+    "active": "actief",
+    "usernameOrEmail": "Gebruikersnaam of e-mailadres",
+    "selectYourOrganization": "Selecteer uw organisatie",
+    "signInTo": "Log in op",
+    "signInWithPassword": "Ga verder met wachtwoord",
+    "noAuthMethodsAvailable": "Geen verificatiemethoden beschikbaar voor deze organisatie.",
+    "enterPassword": "Voer je wachtwoord in",
+    "enterMfaCode": "Voer de code van je authenticator-app in",
+    "securityKeyRequired": "Gebruik uw beveiligingssleutel om in te loggen.",
+    "needToUseAnotherAccount": "Wilt u een ander account gebruiken?",
+    "loginLegalDisclaimer": "Door op de knoppen hieronder te klikken, erken je dat je gelezen en begrepen hebt en ga akkoord met de <termsOfService>Gebruiksvoorwaarden</termsOfService> en <privacyPolicy>Privacybeleid</privacyPolicy>.",
+    "termsOfService": "Algemene gebruiksvoorwaarden",
+    "privacyPolicy": "Privacy Beleid",
+    "userNotFoundWithUsername": "Geen gebruiker gevonden met die gebruikersnaam.",
+    "verify": "Verifiëren",
+    "signIn": "Log in",
+    "forgotPassword": "Wachtwoord vergeten?",
+    "orgSignInTip": "Als u eerder bent ingelogd, kunt u uw gebruikersnaam of e-mail hierboven invoeren om in plaats daarvan te verifiëren met de identiteitsprovider van uw organisatie! Het is makkelijk!",
+    "continueAnyway": "Toch doorgaan",
+    "dontShowAgain": "Niet meer weergeven",
+    "orgSignInNotice": "Wist u dat?",
+    "signupOrgNotice": "Proberen je aan te melden?",
+    "signupOrgTip": "Probeert u zich aan te melden via de identiteitsprovider van uw organisatie?",
+    "signupOrgLink": "Log in of meld je aan bij je organisatie",
+    "verifyEmailLogInWithDifferentAccount": "Gebruik een ander account",
+    "logIn": "Log in",
+    "deviceInformation": "Apparaat informatie",
+    "deviceInformationDescription": "Informatie over het apparaat en de agent",
+    "deviceSecurity": "Apparaat beveiliging",
+    "deviceSecurityDescription": "Apparaat beveiligingsinformatie",
+    "platform": "Platform",
+    "macosVersion": "macOS versie",
+    "windowsVersion": "Windows versie",
+    "iosVersion": "iOS versie",
+    "androidVersion": "Android versie",
+    "osVersion": "OS versie",
+    "kernelVersion": "Kernel versie",
+    "deviceModel": "Apparaat model",
+    "serialNumber": "Serienummer",
+    "hostname": "Hostname",
+    "firstSeen": "Eerst gezien",
+    "lastSeen": "Laatst gezien op",
+    "biometricsEnabled": "Biometrie ingeschakeld",
+    "diskEncrypted": "Schijf versleuteld",
+    "firewallEnabled": "Firewall ingeschakeld",
+    "autoUpdatesEnabled": "Auto Updates Ingeschakeld",
+    "tpmAvailable": "TPM beschikbaar",
+    "windowsAntivirusEnabled": "Antivirus ingeschakeld",
+    "macosSipEnabled": "Systeemintegriteitsbescherming (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Verberg Modus",
+    "linuxAppArmorEnabled": "Appharnas",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Apparaatinformatie en -instellingen bekijken",
+    "devicePendingApprovalDescription": "Dit apparaat wacht op goedkeuring",
+    "deviceBlockedDescription": "Dit apparaat is momenteel geblokkeerd. Het kan geen verbinding maken met bronnen tenzij het wordt gedeblokkeerd.",
+    "unblockClient": "Deblokkeer client",
+    "unblockClientDescription": "Het apparaat is gedeblokkeerd",
+    "unarchiveClient": "Dearchiveer client",
+    "unarchiveClientDescription": "Het apparaat is gedearchiveerd",
+    "block": "Blokkeren",
+    "unblock": "Deblokkeer",
+    "deviceActions": "Apparaat Acties",
+    "deviceActionsDescription": "Apparaatstatus en toegang beheren",
+    "devicePendingApprovalBannerDescription": "Dit apparaat wacht op goedkeuring. Het zal niet in staat zijn verbinding te maken met bronnen totdat het is goedgekeurd.",
+    "connected": "Verbonden",
+    "disconnected": "Losgekoppeld",
+    "approvalsEmptyStateTitle": "Apparaat goedkeuringen niet ingeschakeld",
+    "approvalsEmptyStateDescription": "Apparaatgoedkeuringen voor rollen inschakelen om goedkeuring van de beheerder te vereisen voordat gebruikers nieuwe apparaten kunnen koppelen.",
+    "approvalsEmptyStateStep1Title": "Ga naar rollen",
+    "approvalsEmptyStateStep1Description": "Navigeer naar de rolinstellingen van uw organisatie om apparaatgoedkeuringen te configureren.",
+    "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
+    "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
+    "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
+    "approvalsEmptyStateButtonText": "Rollen beheren"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -18,6 +18,8 @@
    "componentsMember": "Jesteś członkiem {count, plural, =0 {żadna organizacja} one {jedna organizacja} few {# organizacje} many {# organizacji} other {# organizacji}}.",
    "componentsInvalidKey": "Wykryto nieprawidłowe lub wygasłe klucze licencyjne. Postępuj zgodnie z warunkami licencji, aby kontynuować korzystanie ze wszystkich funkcji.",
    "dismiss": "Odrzuć",
+    "subscriptionViolationMessage": "Nie masz ograniczeń dla aktualnego planu. Popraw problem poprzez usunięcie stron, użytkowników lub innych zasobów, aby pozostać w swoim planie.",
+    "subscriptionViolationViewBilling": "Zobacz rozliczenie",
    "componentsLicenseViolation": "Naruszenie licencji: Ten serwer używa stron {usedSites} , które przekraczają limit licencyjny stron {maxSites} . Postępuj zgodnie z warunkami licencji, aby kontynuować korzystanie ze wszystkich funkcji.",
    "componentsSupporterMessage": "Dziękujemy za wsparcie Pangolina jako {tier}!",
    "inviteErrorNotValid": "Przykro nam, ale wygląda na to, że zaproszenie, do którego próbujesz uzyskać dostęp, nie zostało zaakceptowane lub jest już nieważne.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Połącz dowolną sieć",
    "sitesBannerDescription": "Witryna to połączenie z siecią zdalną, które umożliwia Pangolinowi zapewnienie dostępu do zasobów, publicznych lub prywatnych, użytkownikom w dowolnym miejscu. Zainstaluj łącznik sieci w witrynie (Newt) w dowolnym miejscu, w którym możesz uruchomić binarkę lub kontener, aby ustanowić połączenie.",
    "sitesBannerButtonText": "Zainstaluj witrynę",
+    "approvalsBannerTitle": "Zatwierdź lub odmów dostępu do urządzenia",
+    "approvalsBannerDescription": "Przejrzyj i zatwierdzaj lub odmawiaj użytkownikom dostępu do urządzenia. Gdy wymagane jest zatwierdzenie urządzenia, użytkownicy muszą uzyskać zatwierdzenie administratora, zanim ich urządzenia będą mogły połączyć się z zasobami Twojej organizacji.",
+    "approvalsBannerButtonText": "Dowiedz się więcej",
    "siteCreate": "Utwórz witrynę",
    "siteCreateDescription2": "Wykonaj poniższe kroki, aby utworzyć i połączyć nową witrynę",
    "siteCreateDescription": "Utwórz nową witrynę, aby rozpocząć łączenie zasobów",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Szukaj ról...",
    "accessRolesAdd": "Dodaj rolę",
    "accessRoleDelete": "Usuń rolę",
+    "accessApprovalsManage": "Zarządzaj zatwierdzaniem",
+    "accessApprovalsDescription": "Przeglądaj i zarządzaj oczekującymi zatwierdzeniami dostępu do tej organizacji",
    "description": "Opis",
    "inviteTitle": "Otwórz zaproszenia",
    "inviteDescription": "Zarządzaj zaproszeniami dla innych użytkowników do dołączenia do organizacji",
@@ -450,6 +457,18 @@
    "selectDuration": "Wybierz okres",
    "selectResource": "Wybierz zasób",
    "filterByResource": "Filtruj według zasobów",
+    "selectApprovalState": "Wybierz województwo zatwierdzające",
+    "filterByApprovalState": "Filtruj według państwa zatwierdzenia",
+    "approvalListEmpty": "Brak zatwierdzeń",
+    "approvalState": "Państwo zatwierdzające",
+    "approve": "Zatwierdź",
+    "approved": "Zatwierdzone",
+    "denied": "Odmowa",
+    "deniedApproval": "Odrzucono zatwierdzenie",
+    "all": "Wszystko",
+    "deny": "Odmowa",
+    "viewDetails": "Zobacz szczegóły",
+    "requestingNewDeviceApproval": "zażądano nowego urządzenia",
    "resetFilters": "Resetuj filtry",
    "totalBlocked": "Żądania zablokowane przez Pangolina",
    "totalRequests": "Wszystkich Żądań",
@@ -729,16 +748,28 @@
    "countries": "Kraje",
    "accessRoleCreate": "Utwórz rolę",
    "accessRoleCreateDescription": "Utwórz nową rolę aby zgrupować użytkowników i zarządzać ich uprawnieniami.",
+    "accessRoleEdit": "Edytuj rolę",
+    "accessRoleEditDescription": "Edytuj informacje o rolach.",
    "accessRoleCreateSubmit": "Utwórz rolę",
    "accessRoleCreated": "Rola utworzona",
    "accessRoleCreatedDescription": "Rola została pomyślnie utworzona.",
    "accessRoleErrorCreate": "Nie udało się utworzyć roli",
    "accessRoleErrorCreateDescription": "Wystąpił błąd podczas tworzenia roli.",
+    "accessRoleUpdateSubmit": "Aktualizuj rolę",
+    "accessRoleUpdated": "Rola zaktualizowana",
+    "accessRoleUpdatedDescription": "Rola została pomyślnie zaktualizowana.",
+    "accessApprovalUpdated": "Zatwierdzenie przetworzone",
+    "accessApprovalApprovedDescription": "Ustaw decyzję o zatwierdzeniu wniosku o zatwierdzenie.",
+    "accessApprovalDeniedDescription": "Ustaw decyzję o odrzuceniu wniosku o zatwierdzenie.",
+    "accessRoleErrorUpdate": "Nie udało się zaktualizować roli",
+    "accessRoleErrorUpdateDescription": "Wystąpił błąd podczas aktualizowania roli.",
+    "accessApprovalErrorUpdate": "Nie udało się przetworzyć zatwierdzenia",
+    "accessApprovalErrorUpdateDescription": "Wystąpił błąd podczas przetwarzania zatwierdzenia.",
    "accessRoleErrorNewRequired": "Nowa rola jest wymagana",
    "accessRoleErrorRemove": "Nie udało się usunąć roli",
    "accessRoleErrorRemoveDescription": "Wystąpił błąd podczas usuwania roli.",
    "accessRoleName": "Nazwa roli",
-    "accessRoleQuestionRemove": "Zamierzasz usunąć rolę {name}. Tej akcji nie można cofnąć.",
+    "accessRoleQuestionRemove": "Zamierzasz usunąć rolę `{name}`. Nie możesz cofnąć tej czynności.",
    "accessRoleRemove": "Usuń rolę",
    "accessRoleRemoveDescription": "Usuń rolę z organizacji",
    "accessRoleRemoveSubmit": "Usuń rolę",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Organizacja wymaga zmiany hasła co {maxDays} dni.",
    "changePasswordNow": "Zmień hasło teraz",
    "pincodeAuth": "Kod uwierzytelniający",
-    "pincodeSubmit2": "Wyślij kod",
+    "pincodeSubmit2": "Prześlij kod",
    "passwordResetSubmit": "Zażądaj resetowania",
    "passwordResetAlreadyHaveCode": "Wprowadź kod",
    "passwordResetSmtpRequired": "Skontaktuj się z administratorem",
    "passwordResetSmtpRequiredDescription": "Aby zresetować hasło, wymagany jest kod resetowania hasła. Skontaktuj się z administratorem.",
    "passwordBack": "Powrót do hasła",
-    "loginBack": "Wróć do logowania",
+    "loginBack": "Wróć do strony logowania głównego",
    "signup": "Zarejestruj się",
    "loginStart": "Zaloguj się, aby rozpocząć",
    "idpOidcTokenValidating": "Walidacja tokena OIDC",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Aktualizuj organizację IDP",
    "actionCreateClient": "Utwórz klienta",
    "actionDeleteClient": "Usuń klienta",
+    "actionArchiveClient": "Zarchiwizuj klienta",
+    "actionUnarchiveClient": "Usuń archiwizację klienta",
+    "actionBlockClient": "Zablokuj klienta",
+    "actionUnblockClient": "Odblokuj klienta",
    "actionUpdateClient": "Aktualizuj klienta",
    "actionListClients": "Lista klientów",
    "actionGetClient": "Pobierz klienta",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Szukaj...",
    "create": "Utwórz",
    "orgs": "Organizacje",
-    "loginError": "Wystąpił błąd podczas logowania",
-    "loginRequiredForDevice": "Logowanie jest wymagane do uwierzytelnienia urządzenia.",
+    "loginError": "Wystąpił nieoczekiwany błąd. Spróbuj ponownie.",
+    "loginRequiredForDevice": "Logowanie jest wymagane dla Twojego urządzenia.",
    "passwordForgot": "Zapomniałeś hasła?",
    "otpAuth": "Uwierzytelnianie dwuskładnikowe",
    "otpAuthDescription": "Wprowadź kod z aplikacji uwierzytelniającej lub jeden z jednorazowych kodów zapasowych.",
    "otpAuthSubmit": "Wyślij kod",
    "idpContinue": "Lub kontynuuj z",
-    "otpAuthBack": "Powrót do logowania",
+    "otpAuthBack": "Powrót do hasła",
    "navbar": "Menu nawigacyjne",
    "navbarDescription": "Główne menu nawigacyjne aplikacji",
    "navbarDocsLink": "Dokumentacja",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Przegląd",
    "sidebarHome": "Strona główna",
    "sidebarSites": "Witryny",
+    "sidebarApprovals": "Wnioski o zatwierdzenie",
    "sidebarResources": "Zasoby",
    "sidebarProxyResources": "Publiczne",
    "sidebarClientResources": "Prywatny",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Dostawcy tożsamości",
    "sidebarLicense": "Licencja",
    "sidebarClients": "Klienty",
-    "sidebarUserDevices": "Użytkownicy",
+    "sidebarUserDevices": "Urządzenia użytkownika",
    "sidebarMachineClients": "Maszyny",
    "sidebarDomains": "Domeny",
    "sidebarGeneral": "Zarządzaj",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Wystąpił błąd podczas tworzenia konta administratora serwera.",
    "certificateStatus": "Status certyfikatu",
    "loading": "Ładowanie",
+    "loadingAnalytics": "Ładowanie Analityki",
    "restart": "Uruchom ponownie",
    "domains": "Domeny",
    "domainsDescription": "Tworzenie domen dostępnych w organizacji i zarządzanie nimi",
@@ -1304,6 +1341,7 @@
    "refreshError": "Nie udało się odświeżyć danych",
    "verified": "Zatwierdzony",
    "pending": "Oczekuje",
+    "pendingApproval": "Oczekujące na zatwierdzenie",
    "sidebarBilling": "Fakturowanie",
    "billing": "Fakturowanie",
    "orgBillingDescription": "Zarządzaj informacjami rozliczeniowymi i subskrypcjami",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Przegląd Limitów Użytkowania",
    "billingMonitorUsage": "Monitoruj swoje wykorzystanie w porównaniu do skonfigurowanych limitów. Jeśli potrzebujesz zwiększenia limitów, skontaktuj się z nami pod adresem support@pangolin.net.",
    "billingDataUsage": "Użycie danych",
-    "billingOnlineTime": "Czas Online Strony",
-    "billingUsers": "Aktywni użytkownicy",
-    "billingDomains": "Aktywne domeny",
-    "billingRemoteExitNodes": "Aktywne samodzielnie-hostowane węzły",
+    "billingSites": "Witryny",
+    "billingUsers": "Użytkownicy",
+    "billingDomains": "Domeny",
+    "billingRemoteExitNodes": "Zdalne węzły",
    "billingNoLimitConfigured": "Nie skonfigurowano limitu",
    "billingEstimatedPeriod": "Szacowany Okres Rozliczeniowy",
    "billingIncludedUsage": "Zawarte użycie",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Nie udało się uzyskać adresu URL portalu",
    "billingPortalError": "Błąd Portalu",
    "billingDataUsageInfo": "Jesteś obciążony za wszystkie dane przesyłane przez bezpieczne tunele, gdy jesteś podłączony do chmury. Obejmuje to zarówno ruch przychodzący, jak i wychodzący we wszystkich Twoich witrynach. Gdy osiągniesz swój limit, twoje strony zostaną rozłączone, dopóki nie zaktualizujesz planu lub nie ograniczysz użycia. Dane nie będą naliczane przy użyciu węzłów.",
-    "billingOnlineTimeInfo": "Opłata zależy od tego, jak długo twoje strony pozostają połączone z chmurą. Na przykład 44,640 minut oznacza jedną stronę działającą 24/7 przez cały miesiąc. Kiedy osiągniesz swój limit, twoje strony zostaną rozłączone, dopóki nie zaktualizujesz planu lub nie zmniejsz jego wykorzystania. Czas nie będzie naliczany przy użyciu węzłów.",
-    "billingUsersInfo": "Opłata za każdego użytkownika w organizacji. Płatność jest obliczana codziennie na podstawie liczby aktywnych kont użytkowników w Twojej organizacji.",
-    "billingDomainInfo": "Opłata za każdą domenę w organizacji. Płatność jest obliczana codziennie na podstawie liczby aktywnych kont domen w Twojej organizacji.",
-    "billingRemoteExitNodesInfo": "Opłata za każdy zarządzany węzeł w organizacji. Płatność jest obliczana codziennie na podstawie liczby aktywnych zarządzanych węzłów w Twojej organizacji.",
+    "billingSInfo": "Ile stron możesz użyć",
+    "billingUsersInfo": "Ile użytkowników możesz użyć",
+    "billingDomainInfo": "Ile domen możesz użyć",
+    "billingRemoteExitNodesInfo": "Ile zdalnych węzłów możesz użyć",
+    "billingLicenseKeys": "Klucze licencyjne",
+    "billingLicenseKeysDescription": "Zarządzaj subskrypcjami kluczy licencyjnych",
+    "billingLicenseSubscription": "Subskrypcja licencji",
+    "billingInactive": "Nieaktywny",
+    "billingLicenseItem": "Element licencji",
+    "billingQuantity": "Ilość",
+    "billingTotal": "łącznie",
+    "billingModifyLicenses": "Modyfikuj subskrypcję licencji",
    "domainNotFound": "Nie znaleziono domeny",
    "domainNotFoundDescription": "Zasób jest wyłączony, ponieważ domena nie istnieje już w naszym systemie. Proszę ustawić nową domenę dla tego zasobu.",
    "failed": "Niepowodzenie",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Klucz bezpieczeństwa został pomyślnie usunięty",
    "securityKeyRemoveError": "Błąd podczas usuwania klucza bezpieczeństwa",
    "securityKeyLoadError": "Błąd podczas ładowania kluczy bezpieczeństwa",
-    "securityKeyLogin": "Zaloguj się kluczem bezpieczeństwa",
+    "securityKeyLogin": "Użyj klucza bezpieczeństwa",
    "securityKeyAuthError": "Błąd podczas uwierzytelniania kluczem bezpieczeństwa",
    "securityKeyRecommendation": "Rozważ zarejestrowanie innego klucza bezpieczeństwa na innym urządzeniu, aby upewnić się, że nie zostaniesz zablokowany z dostępu do swojego konta.",
    "registering": "Rejestracja...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Numer portu jest wymagany dla zasobów non-HTTP",
    "resourcePortNotAllowed": "Numer portu nie powinien być ustawiony dla zasobów HTTP",
    "billingPricingCalculatorLink": "Kalkulator Cen",
+    "billingYourPlan": "Twój plan",
+    "billingViewOrModifyPlan": "Wyświetl lub zmodyfikuj swój aktualny plan",
+    "billingViewPlanDetails": "Zobacz szczegóły planu",
+    "billingUsageAndLimits": "Stosowanie i ograniczenia",
+    "billingViewUsageAndLimits": "Zobacz limity swojego planu i bieżące użycie",
+    "billingCurrentUsage": "Bieżące użycie",
+    "billingMaximumLimits": "Maksymalne limity",
+    "billingRemoteNodes": "Zdalne węzły",
+    "billingUnlimited": "Nieograniczona",
+    "billingPaidLicenseKeys": "Płatne klucze licencyjne",
+    "billingManageLicenseSubscription": "Zarządzaj subskrypcją płatnych własnych kluczy licencyjnych",
+    "billingCurrentKeys": "Bieżące klucze",
+    "billingModifyCurrentPlan": "Modyfikuj bieżący plan",
+    "billingConfirmUpgrade": "Potwierdź aktualizację",
+    "billingConfirmDowngrade": "Potwierdź obniżenie",
+    "billingConfirmUpgradeDescription": "Zamierzasz ulepszyć swój plan. Przejrzyj nowe limity i ceny poniżej.",
+    "billingConfirmDowngradeDescription": "Zamierzasz obniżyć swój plan. Przejrzyj nowe limity i ceny poniżej.",
+    "billingPlanIncludes": "Plan zawiera",
+    "billingProcessing": "Przetwarzanie...",
+    "billingConfirmUpgradeButton": "Potwierdź aktualizację",
+    "billingConfirmDowngradeButton": "Potwierdź obniżenie",
+    "billingLimitViolationWarning": "Użycie przekracza nowe limity planu",
+    "billingLimitViolationDescription": "Bieżące użycie przekracza limity tego planu. Po obniżeniu, wszystkie działania zostaną wyłączone, dopóki nie zmniejsz zużycia w ramach nowych limitów. Zapoznaj się z poniższymi funkcjami, które obecnie przekraczają limity. Limity naruszenia:",
+    "billingFeatureLossWarning": "Powiadomienie o dostępności funkcji",
+    "billingFeatureLossDescription": "Po obniżeniu wartości funkcje niedostępne w nowym planie zostaną automatycznie wyłączone. Niektóre ustawienia i konfiguracje mogą zostać utracone. Zapoznaj się z matrycą cenową, aby zrozumieć, które funkcje nie będą już dostępne.",
+    "billingUsageExceedsLimit": "Bieżące użycie ({current}) przekracza limit ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Zgadzam się z",
        "termsOfService": "warunkami usługi",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Interwał Zdrowy",
    "timeoutSeconds": "Limit czasu (sek)",
    "timeIsInSeconds": "Czas w sekundach",
+    "requireDeviceApproval": "Wymagaj zatwierdzenia urządzenia",
+    "requireDeviceApprovalDescription": "Użytkownicy o tej roli potrzebują nowych urządzeń zatwierdzonych przez administratora, zanim będą mogli połączyć się i uzyskać dostęp do zasobów.",
    "retryAttempts": "Próby Ponowienia",
    "expectedResponseCodes": "Oczekiwane Kody Odpowiedzi",
    "expectedResponseCodesDescription": "Kod statusu HTTP, który wskazuje zdrowy status. Jeśli pozostanie pusty, uznaje się 200-300 za zdrowy.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Nie znaleziono wewnętrznych zasobów.",
    "resourcesTableDestination": "Miejsce docelowe",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adres aliasu",
+    "resourcesTableAliasAddressInfo": "Ten adres jest częścią podsieci użyteczności organizacji. Jest używany do rozwiązywania rekordów aliasu przy użyciu wewnętrznej rozdzielczości DNS.",
    "resourcesTableClients": "Klientami",
    "resourcesTableAndOnlyAccessibleInternally": "i są dostępne tylko wewnętrznie po połączeniu z klientem.",
    "resourcesTableNoTargets": "Brak celów",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Powrót do standardowego logowania",
    "orgAuthNoAccount": "Nie masz konta?",
    "subscriptionRequiredToUse": "Do korzystania z tej funkcji wymagana jest subskrypcja.",
+    "mustUpgradeToUse": "Musisz uaktualnić subskrypcję, aby korzystać z tej funkcji.",
+    "subscriptionRequiredTierToUse": "Ta funkcja wymaga funkcji <tierLink>{tier}</tierLink> lub wyższej.",
+    "upgradeToTierToUse": "Aby skorzystać z tej funkcji, przejdź na <tierLink>{tier}</tierLink> lub wyższy pakiet.",
+    "subscriptionTierTier1": "Strona główna",
+    "subscriptionTierTier2": "Drużyna",
+    "subscriptionTierTier3": "Biznes",
+    "subscriptionTierEnterprise": "Przedsiębiorstwo",
    "idpDisabled": "Dostawcy tożsamości są wyłączeni",
    "orgAuthPageDisabled": "Strona autoryzacji organizacji jest wyłączona.",
    "domainRestartedDescription": "Weryfikacja domeny zrestartowana pomyślnie",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Uzyskaj licencję",
+        "description": "Wybierz plan i powiedz nam, jak planujesz korzystać z Pangolin.",
+        "chooseTier": "Wybierz swój plan",
+        "viewPricingLink": "Zobacz cenniki, funkcje i limity",
+        "tiers": {
+            "starter": {
+                "title": "Rozpocznij",
+                "description": "Środki te przeznaczone są na pokrycie wydatków na personel i wydatków administracyjnych Agencji (tytuły 1 i 2) oraz jej wydatków operacyjnych (tytuł 3)."
+            },
+            "scale": {
+                "title": "Skala",
+                "description": "Cechy przedsiębiorstw, 50 użytkowników, 50 obiektów i wsparcie priorytetowe."
+            }
+        },
+        "personalUseOnly": "Wyłącznie do użytku osobistego (bezpłatna licencja – brak zamówień)",
+        "buttons": {
+            "continueToCheckout": "Przejdź do zamówienia"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Błąd zamówienia",
+                "description": "Nie można uruchomić zamówienia. Spróbuj ponownie."
+            }
+        }
+    },
    "priority": "Priorytet",
    "priorityDescription": "Najpierw oceniane są trasy priorytetowe. Priorytet = 100 oznacza automatyczne zamawianie (decyzje systemowe). Użyj innego numeru, aby wyegzekwować ręczny priorytet.",
    "instanceName": "Nazwa instancji",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
    "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
    "licenseRequiredToUse": "Licencja Enterprise jest wymagana do korzystania z tej funkcji.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji.",
    "certResolver": "Rozwiązywanie certyfikatów",
    "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
    "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Kod musi mieć 9 znaków (np. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Nieprawidłowy lub wygasły kod",
    "deviceCodeVerifyFailed": "Nie udało się zweryfikować kodu urządzenia",
+    "deviceCodeValidating": "Sprawdzanie kodu urządzenia...",
+    "deviceCodeVerifying": "Weryfikowanie autoryzacji urządzenia...",
    "signedInAs": "Zalogowany jako",
    "deviceCodeEnterPrompt": "Wprowadź kod wyświetlany na urządzeniu",
    "continue": "Kontynuuj",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Dostęp do wszystkich organizacji, do których Twoje konto ma dostęp",
    "deviceAuthorize": "Autoryzuj {applicationName}",
    "deviceConnected": "Urządzenie podłączone!",
-    "deviceAuthorizedMessage": "Urządzenie jest upoważnione do dostępu do Twojego konta.",
+    "deviceAuthorizedMessage": "Urządzenie jest autoryzowane do uzyskania dostępu do Twojego konta. Proszę wróć do aplikacji klienckiej.",
    "pangolinCloud": "Chmura Pangolin",
    "viewDevices": "Zobacz urządzenia",
    "viewDevicesDescription": "Zarządzaj podłączonymi urządzeniami",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Nie ty? Użyj innego konta.",
    "deviceLoginDeviceRequestingAccessToAccount": "Urządzenie żąda dostępu do tego konta.",
+    "loginSelectAuthenticationMethod": "Wybierz metodę uwierzytelniania aby kontynuować.",
    "noData": "Brak danych",
    "machineClients": "Klienci maszyn",
    "install": "Zainstaluj",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Usługa chwilowo niedostępna",
    "maintenanceScreenMessage": "Obecnie doświadczamy problemów technicznych. Proszę sprawdzić ponownie wkrótce.",
    "maintenanceScreenEstimatedCompletion": "Szacowane zakończenie:",
-    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane"
+    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane",
+    "available": "Dostępny",
+    "archived": "Zarchiwizowane",
+    "noArchivedDevices": "Nie znaleziono zarchiwizowanych urządzeń",
+    "deviceArchived": "Urządzenie zarchiwizowane",
+    "deviceArchivedDescription": "Urządzenie zostało pomyślnie zarchiwizowane.",
+    "errorArchivingDevice": "Błąd podczas archiwizacji urządzenia",
+    "failedToArchiveDevice": "Nie udało się zarchiwizować urządzenia",
+    "deviceQuestionArchive": "Czy na pewno chcesz zarchiwizować to urządzenie?",
+    "deviceMessageArchive": "Urządzenie zostanie zarchiwizowane i usunięte z listy aktywnych urządzeń.",
+    "deviceArchiveConfirm": "Archiwizuj urządzenie",
+    "archiveDevice": "Archiwizuj urządzenie",
+    "archive": "Archiwum",
+    "deviceUnarchived": "Urządzenie niezarchiwizowane",
+    "deviceUnarchivedDescription": "Urządzenie zostało pomyślnie usunięte.",
+    "errorUnarchivingDevice": "Błąd podczas usuwania archiwizacji urządzenia",
+    "failedToUnarchiveDevice": "Nie udało się odarchiwizować urządzenia",
+    "unarchive": "Usuń z archiwum",
+    "archiveClient": "Zarchiwizuj klienta",
+    "archiveClientQuestion": "Czy na pewno chcesz zarchiwizować tego klienta?",
+    "archiveClientMessage": "Klient zostanie zarchiwizowany i usunięty z listy aktywnych klientów.",
+    "archiveClientConfirm": "Zarchiwizuj klienta",
+    "blockClient": "Zablokuj klienta",
+    "blockClientQuestion": "Czy na pewno chcesz zablokować tego klienta?",
+    "blockClientMessage": "Urządzenie zostanie wymuszone do rozłączenia, jeśli jest obecnie podłączone. Możesz odblokować urządzenie później.",
+    "blockClientConfirm": "Zablokuj klienta",
+    "active": "Aktywne",
+    "usernameOrEmail": "Nazwa użytkownika lub e-mail",
+    "selectYourOrganization": "Wybierz swoją organizację",
+    "signInTo": "Zaloguj się do",
+    "signInWithPassword": "Kontynuuj z hasłem",
+    "noAuthMethodsAvailable": "Brak dostępnych metod uwierzytelniania dla tej organizacji.",
+    "enterPassword": "Wprowadź hasło",
+    "enterMfaCode": "Wprowadź kod z aplikacji uwierzytelniającej",
+    "securityKeyRequired": "Aby się zalogować, użyj klucza bezpieczeństwa.",
+    "needToUseAnotherAccount": "Potrzebujesz użyć innego konta?",
+    "loginLegalDisclaimer": "Klikając na przycisk poniżej, potwierdzasz, że przeczytałeś, rozumiesz, i zaakceptuj <termsOfService>Warunki świadczenia usługi</termsOfService> i <privacyPolicy>Polityka prywatności</privacyPolicy>.",
+    "termsOfService": "Warunki korzystania z usługi",
+    "privacyPolicy": "Polityka prywatności",
+    "userNotFoundWithUsername": "Nie znaleziono użytkownika o tej nazwie użytkownika.",
+    "verify": "Weryfikacja",
+    "signIn": "Zaloguj się",
+    "forgotPassword": "Zapomniałeś hasła?",
+    "orgSignInTip": "Jeśli zalogowałeś się wcześniej, możesz wprowadzić nazwę użytkownika lub e-mail powyżej, aby uwierzytelnić się z dostawcą tożsamości organizacji. To łatwiejsze!",
+    "continueAnyway": "Kontynuuj mimo to",
+    "dontShowAgain": "Nie pokazuj ponownie",
+    "orgSignInNotice": "Czy wiedziałeś?",
+    "signupOrgNotice": "Próbujesz się zalogować?",
+    "signupOrgTip": "Czy próbujesz zalogować się za pośrednictwem dostawcy tożsamości organizacji?",
+    "signupOrgLink": "Zamiast tego zaloguj się lub zarejestruj w swojej organizacji",
+    "verifyEmailLogInWithDifferentAccount": "Użyj innego konta",
+    "logIn": "Zaloguj się",
+    "deviceInformation": "Informacje o urządzeniu",
+    "deviceInformationDescription": "Informacje o urządzeniu i agentach",
+    "deviceSecurity": "Bezpieczeństwo urządzenia",
+    "deviceSecurityDescription": "Informacje o bezpieczeństwie urządzenia",
+    "platform": "Platforma",
+    "macosVersion": "Wersja macOS",
+    "windowsVersion": "Wersja Windows",
+    "iosVersion": "Wersja iOS",
+    "androidVersion": "Wersja Androida",
+    "osVersion": "Wersja systemu operacyjnego",
+    "kernelVersion": "Wersja jądra",
+    "deviceModel": "Model urządzenia",
+    "serialNumber": "Numer seryjny",
+    "hostname": "Hostname",
+    "firstSeen": "Widziany po raz pierwszy",
+    "lastSeen": "Ostatnio widziane",
+    "biometricsEnabled": "Biometria włączona",
+    "diskEncrypted": "Dysk zaszyfrowany",
+    "firewallEnabled": "Zapora włączona",
+    "autoUpdatesEnabled": "Automatyczne aktualizacje włączone",
+    "tpmAvailable": "TPM dostępne",
+    "windowsAntivirusEnabled": "Antywirus włączony",
+    "macosSipEnabled": "Ochrona integralności systemu (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Tryb Stealth zapory",
+    "linuxAppArmorEnabled": "Zbroja aplikacji",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Wyświetl informacje o urządzeniu i ustawienia",
+    "devicePendingApprovalDescription": "To urządzenie czeka na zatwierdzenie",
+    "deviceBlockedDescription": "To urządzenie jest obecnie zablokowane. Nie będzie można połączyć się z żadnymi zasobami, chyba że zostanie odblokowane.",
+    "unblockClient": "Odblokuj klienta",
+    "unblockClientDescription": "Urządzenie zostało odblokowane",
+    "unarchiveClient": "Usuń archiwizację klienta",
+    "unarchiveClientDescription": "Urządzenie zostało odarchiwizowane",
+    "block": "Blok",
+    "unblock": "Odblokuj",
+    "deviceActions": "Akcje urządzenia",
+    "deviceActionsDescription": "Zarządzaj stanem urządzenia i dostępem",
+    "devicePendingApprovalBannerDescription": "To urządzenie oczekuje na zatwierdzenie. Nie będzie można połączyć się z zasobami, dopóki nie zostanie zatwierdzone.",
+    "connected": "Połączono",
+    "disconnected": "Rozłączony",
+    "approvalsEmptyStateTitle": "Zatwierdzanie urządzenia nie włączone",
+    "approvalsEmptyStateDescription": "Włącz zatwierdzanie urządzeń dla ról aby wymagać zgody administratora, zanim użytkownicy będą mogli podłączyć nowe urządzenia.",
+    "approvalsEmptyStateStep1Title": "Przejdź do ról",
+    "approvalsEmptyStateStep1Description": "Przejdź do ustawień ról swojej organizacji, aby skonfigurować zatwierdzenia urządzenia.",
+    "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
+    "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
+    "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -18,6 +18,8 @@
    "componentsMember": "É membro de {count, plural, =0 {nenhuma organização} one {uma organização} other {# organizações}}.",
    "componentsInvalidKey": "Chaves de licença inválidas ou expiradas detectadas. Siga os termos da licença para continuar usando todos os recursos.",
    "dismiss": "Rejeitar",
+    "subscriptionViolationMessage": "Você está além dos seus limites para o seu plano atual. Corrija o problema removendo sites, usuários, ou outros recursos para ficar em seu plano.",
+    "subscriptionViolationViewBilling": "Ver faturamento",
    "componentsLicenseViolation": "Violação de Licença: Este servidor está usando sites {usedSites} que excedem o limite licenciado de sites {maxSites} . Siga os termos da licença para continuar usando todos os recursos.",
    "componentsSupporterMessage": "Obrigado por apoiar o Pangolin como um {tier}!",
    "inviteErrorNotValid": "Desculpe, mas parece que o convite que está a tentar aceder não foi aceito ou não é mais válido.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Conectar a Qualquer Rede",
    "sitesBannerDescription": "Um site é uma conexão a uma rede remota que permite ao Pangolin fornecer acesso a recursos, sejam eles públicos ou privados, a usuários em qualquer lugar. Instale o conector de rede do site (Newt) em qualquer lugar onde você possa executar um binário ou contêiner para estabelecer a conexão.",
    "sitesBannerButtonText": "Instalar Site",
+    "approvalsBannerTitle": "Aprovar ou negar acesso ao dispositivo",
+    "approvalsBannerDescription": "Revisar e aprovar ou negar solicitações de acesso ao dispositivo de usuários. Quando as aprovações do dispositivo são necessárias, os usuários devem obter a aprovação do administrador antes que seus dispositivos possam se conectar aos recursos da sua organização.",
+    "approvalsBannerButtonText": "Saiba mais",
    "siteCreate": "Criar site",
    "siteCreateDescription2": "Siga os passos abaixo para criar e conectar um novo site",
    "siteCreateDescription": "Crie um novo site para começar a conectar os recursos",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Pesquisar funções...",
    "accessRolesAdd": "Adicionar função",
    "accessRoleDelete": "Excluir Papel",
+    "accessApprovalsManage": "Gerenciar aprovações",
+    "accessApprovalsDescription": "Visualizar e gerenciar aprovações pendentes para acesso a esta organização",
    "description": "Descrição:",
    "inviteTitle": "Convites Abertos",
    "inviteDescription": "Gerenciar convites para outros usuários participarem da organização",
@@ -450,6 +457,18 @@
    "selectDuration": "Selecionar duração",
    "selectResource": "Selecionar Recurso",
    "filterByResource": "Filtrar por Recurso",
+    "selectApprovalState": "Selecionar Estado de Aprovação",
+    "filterByApprovalState": "Filtrar por estado de aprovação",
+    "approvalListEmpty": "Sem aprovações",
+    "approvalState": "Estado de aprovação",
+    "approve": "Aprovar",
+    "approved": "Aceito",
+    "denied": "Negado",
+    "deniedApproval": "Aprovação Negada",
+    "all": "Todos",
+    "deny": "Recusar",
+    "viewDetails": "Visualizar Detalhes",
+    "requestingNewDeviceApproval": "solicitou um novo dispositivo",
    "resetFilters": "Redefinir filtros",
    "totalBlocked": "Solicitações bloqueadas pelo Pangolin",
    "totalRequests": "Total de pedidos",
@@ -729,16 +748,28 @@
    "countries": "Países",
    "accessRoleCreate": "Criar Função",
    "accessRoleCreateDescription": "Crie uma nova função para agrupar utilizadores e gerir suas permissões.",
+    "accessRoleEdit": "Editar Permissão",
+    "accessRoleEditDescription": "Editar informações do papel.",
    "accessRoleCreateSubmit": "Criar Função",
    "accessRoleCreated": "Função criada",
    "accessRoleCreatedDescription": "A função foi criada com sucesso.",
    "accessRoleErrorCreate": "Falha ao criar função",
    "accessRoleErrorCreateDescription": "Ocorreu um erro ao criar a função.",
+    "accessRoleUpdateSubmit": "Atualizar Função",
+    "accessRoleUpdated": "Função atualizada",
+    "accessRoleUpdatedDescription": "A função foi atualizada com sucesso.",
+    "accessApprovalUpdated": "Aprovação processada",
+    "accessApprovalApprovedDescription": "Definir decisão de solicitação de aprovação para aprovada.",
+    "accessApprovalDeniedDescription": "Definir decisão de solicitação de aprovação para negada.",
+    "accessRoleErrorUpdate": "Falha ao atualizar papel",
+    "accessRoleErrorUpdateDescription": "Ocorreu um erro ao atualizar a função.",
+    "accessApprovalErrorUpdate": "Não foi possível processar a aprovação",
+    "accessApprovalErrorUpdateDescription": "Ocorreu um erro ao processar a aprovação.",
    "accessRoleErrorNewRequired": "Nova função é necessária",
    "accessRoleErrorRemove": "Falha ao remover função",
    "accessRoleErrorRemoveDescription": "Ocorreu um erro ao remover a função.",
    "accessRoleName": "Nome da Função",
-    "accessRoleQuestionRemove": "Você está prestes a apagar a função {name}. Você não pode desfazer esta ação.",
+    "accessRoleQuestionRemove": "Você está prestes a apagar o papel `{name}. Você não pode desfazer esta ação.",
    "accessRoleRemove": "Remover Função",
    "accessRoleRemoveDescription": "Remover uma função da organização",
    "accessRoleRemoveSubmit": "Remover Função",
@@ -954,13 +985,13 @@
    "passwordExpiryDescription": "Esta organização exige que você altere sua senha a cada {maxDays} dias.",
    "changePasswordNow": "Alterar a senha agora",
    "pincodeAuth": "Código do Autenticador",
-    "pincodeSubmit2": "Submeter Código",
+    "pincodeSubmit2": "Enviar código",
    "passwordResetSubmit": "Solicitar Redefinição",
    "passwordResetAlreadyHaveCode": "Inserir Código",
    "passwordResetSmtpRequired": "Por favor, contate o administrador",
    "passwordResetSmtpRequiredDescription": "É necessário um código de redefinição de senha para redefinir sua senha. Por favor, contate o administrador para assistência.",
    "passwordBack": "Voltar à Palavra-passe",
-    "loginBack": "Voltar ao início de sessão",
+    "loginBack": "Voltar para a página principal de acesso",
    "signup": "Registar",
    "loginStart": "Inicie sessão para começar",
    "idpOidcTokenValidating": "A validar token OIDC",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Atualizar Organização IDP",
    "actionCreateClient": "Criar Cliente",
    "actionDeleteClient": "Excluir Cliente",
+    "actionArchiveClient": "Arquivar Cliente",
+    "actionUnarchiveClient": "Desarquivar Cliente",
+    "actionBlockClient": "Bloco do Cliente",
+    "actionUnblockClient": "Desbloquear Cliente",
    "actionUpdateClient": "Atualizar Cliente",
    "actionListClients": "Listar Clientes",
    "actionGetClient": "Obter Cliente",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Pesquisar...",
    "create": "Criar",
    "orgs": "Organizações",
-    "loginError": "Ocorreu um erro ao iniciar sessão",
-    "loginRequiredForDevice": "É necessário entrar para autenticar seu dispositivo.",
+    "loginError": "Ocorreu um erro inesperado. Por favor, tente novamente.",
+    "loginRequiredForDevice": "O login é necessário para seu dispositivo.",
    "passwordForgot": "Esqueceu a sua palavra-passe?",
    "otpAuth": "Autenticação de Dois Fatores",
    "otpAuthDescription": "Insira o código da sua aplicação de autenticação ou um dos seus códigos de backup de uso único.",
    "otpAuthSubmit": "Submeter Código",
    "idpContinue": "Ou continuar com",
-    "otpAuthBack": "Voltar ao Início de Sessão",
+    "otpAuthBack": "Voltar à Palavra-passe",
    "navbar": "Menu de Navegação",
    "navbarDescription": "Menu de navegação principal da aplicação",
    "navbarDocsLink": "Documentação",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Geral",
    "sidebarHome": "Residencial",
    "sidebarSites": "sites",
+    "sidebarApprovals": "Solicitações de aprovação",
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Provedores de identidade",
    "sidebarLicense": "Tipo:",
    "sidebarClients": "Clientes",
-    "sidebarUserDevices": "Utilizadores",
+    "sidebarUserDevices": "Dispositivos do usuário",
    "sidebarMachineClients": "Máquinas",
    "sidebarDomains": "Domínios",
    "sidebarGeneral": "Gerir",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Ocorreu um erro ao criar a conta de administrador do servidor.",
    "certificateStatus": "Status do Certificado",
    "loading": "Carregando",
+    "loadingAnalytics": "Carregando Analytics",
    "restart": "Reiniciar",
    "domains": "Domínios",
    "domainsDescription": "Criar e gerenciar domínios disponíveis na organização",
@@ -1304,6 +1341,7 @@
    "refreshError": "Falha ao atualizar dados",
    "verified": "Verificado",
    "pending": "Pendente",
+    "pendingApproval": "Aprovação pendente",
    "sidebarBilling": "Faturamento",
    "billing": "Faturamento",
    "orgBillingDescription": "Gerenciar informações e assinaturas de cobrança",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Visão Geral dos Limites de Uso",
    "billingMonitorUsage": "Monitore seu uso em relação aos limites configurados. Se precisar aumentar esses limites, entre em contato conosco support@pangolin.net.",
    "billingDataUsage": "Uso de Dados",
-    "billingOnlineTime": "Tempo Online do Site",
-    "billingUsers": "Usuários Ativos",
-    "billingDomains": "Domínios Ativos",
-    "billingRemoteExitNodes": "Nodos Auto-Hospedados Ativos",
+    "billingSites": "sites",
+    "billingUsers": "Utilizadores",
+    "billingDomains": "Domínios",
+    "billingRemoteExitNodes": "Nós remotos",
    "billingNoLimitConfigured": "Nenhum limite configurado",
    "billingEstimatedPeriod": "Período Estimado de Cobrança",
    "billingIncludedUsage": "Uso Incluído",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Falha ao obter URL do portal",
    "billingPortalError": "Erro do Portal",
    "billingDataUsageInfo": "Você é cobrado por todos os dados transferidos através de seus túneis seguros quando conectado à nuvem. Isso inclui o tráfego de entrada e saída em todos os seus sites. Quando você atingir o seu limite, seus sites desconectarão até que você atualize seu plano ou reduza o uso. Os dados não serão cobrados ao usar os nós.",
-    "billingOnlineTimeInfo": "Cobrança de acordo com o tempo em que seus sites permanecem conectados à nuvem. Por exemplo, 44,640 minutos é igual a um site que roda 24/7 para um mês inteiro. Quando você atinge o seu limite, seus sites desconectarão até que você faça o upgrade do seu plano ou reduza o uso. O tempo não é cobrado ao usar nós.",
-    "billingUsersInfo": "A cobrança é feita por cada usuário na organização. A cobrança é feita diariamente com base no número de contas de usuário ativas na sua organização.",
-    "billingDomainInfo": "A cobrança é feita por cada domínio da organização. A cobrança é feita diariamente com base no número de contas de domínio ativas na sua organização.",
-    "billingRemoteExitNodesInfo": "Você é cobrado por cada nó gerenciado na organização. A cobrança é calculada diariamente com base no número de nós gerenciados ativos em sua organização.",
+    "billingSInfo": "Quantos sites você pode usar",
+    "billingUsersInfo": "Quantos usuários você pode usar",
+    "billingDomainInfo": "Quantos domínios você pode usar",
+    "billingRemoteExitNodesInfo": "Quantos nós remotos você pode usar",
+    "billingLicenseKeys": "Chaves de Licença",
+    "billingLicenseKeysDescription": "Gerenciar suas subscrições de chave de licença",
+    "billingLicenseSubscription": "Assinatura de Licença",
+    "billingInactive": "Inativo",
+    "billingLicenseItem": "Item de Licença",
+    "billingQuantity": "Quantidade",
+    "billingTotal": "total:",
+    "billingModifyLicenses": "Modificar assinatura de licença",
    "domainNotFound": "Domínio Não Encontrado",
    "domainNotFoundDescription": "Este recurso está desativado porque o domínio não existe mais em nosso sistema. Defina um novo domínio para este recurso.",
    "failed": "Falhou",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Chave de segurança removida com sucesso",
    "securityKeyRemoveError": "Erro ao remover chave de segurança",
    "securityKeyLoadError": "Erro ao carregar chaves de segurança",
-    "securityKeyLogin": "Continuar com a chave de segurança",
+    "securityKeyLogin": "Usar chave de segurança",
    "securityKeyAuthError": "Erro ao autenticar com chave de segurança",
    "securityKeyRecommendation": "Considere registrar outra chave de segurança em um dispositivo diferente para garantir que você não fique bloqueado da sua conta.",
    "registering": "Registrando...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Número da porta é obrigatório para recursos não-HTTP",
    "resourcePortNotAllowed": "Número da porta não deve ser definido para recursos HTTP",
    "billingPricingCalculatorLink": "Calculadora de Preços",
+    "billingYourPlan": "Seu plano",
+    "billingViewOrModifyPlan": "Ver ou modificar seu plano atual",
+    "billingViewPlanDetails": "Ver detalhes do plano",
+    "billingUsageAndLimits": "Uso e Limites",
+    "billingViewUsageAndLimits": "Ver os limites do seu plano e o uso atual",
+    "billingCurrentUsage": "Uso atual",
+    "billingMaximumLimits": "Limite Máximo",
+    "billingRemoteNodes": "Nós remotos",
+    "billingUnlimited": "Ilimitado",
+    "billingPaidLicenseKeys": "Chaves de licença paga",
+    "billingManageLicenseSubscription": "Gerencie sua assinatura para as chaves de licenças auto-hospedadas pagas",
+    "billingCurrentKeys": "Chaves atuais",
+    "billingModifyCurrentPlan": "Modificar o Plano Atual",
+    "billingConfirmUpgrade": "Confirmar a atualização",
+    "billingConfirmDowngrade": "Confirmar downgrade",
+    "billingConfirmUpgradeDescription": "Você está prestes a atualizar seu plano. Revise os novos limites e preços abaixo.",
+    "billingConfirmDowngradeDescription": "Você está prestes a fazer o downgrade do seu plano. Revise os novos limites e preços abaixo.",
+    "billingPlanIncludes": "Plano Inclui",
+    "billingProcessing": "Processandochar@@0",
+    "billingConfirmUpgradeButton": "Confirmar a atualização",
+    "billingConfirmDowngradeButton": "Confirmar downgrade",
+    "billingLimitViolationWarning": "Uso excede novos limites de plano",
+    "billingLimitViolationDescription": "Seu uso atual excede os limites deste plano. Após desclassificação, todas as ações serão desabilitadas até que você reduza o uso dentro dos novos limites. Por favor, reveja os recursos abaixo que atualmente estão acima dos limites. Limites de violação:",
+    "billingFeatureLossWarning": "Aviso de disponibilidade de recursos",
+    "billingFeatureLossDescription": "Ao fazer o downgrading, recursos não disponíveis no novo plano serão desativados automaticamente. Algumas configurações e configurações podem ser perdidas. Por favor, revise a matriz de preços para entender quais características não estarão mais disponíveis.",
+    "billingUsageExceedsLimit": "Uso atual ({current}) excede o limite ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Concordo com",
        "termsOfService": "os termos de serviço",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Intervalo Saudável",
    "timeoutSeconds": "Tempo limite (seg)",
    "timeIsInSeconds": "O tempo está em segundos",
+    "requireDeviceApproval": "Exigir aprovação do dispositivo",
+    "requireDeviceApprovalDescription": "Usuários com esta função precisam de novos dispositivos aprovados por um administrador antes que eles possam se conectar e acessar recursos.",
    "retryAttempts": "Tentativas de Repetição",
    "expectedResponseCodes": "Códigos de Resposta Esperados",
    "expectedResponseCodesDescription": "Código de status HTTP que indica estado saudável. Se deixado em branco, 200-300 é considerado saudável.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Nenhum recurso interno encontrado.",
    "resourcesTableDestination": "Destino",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Endereço do Pseudônimo",
+    "resourcesTableAliasAddressInfo": "Este endereço faz parte da sub-rede de utilitários da organização. É usado para resolver registros de alias usando resolução de DNS interno.",
    "resourcesTableClients": "Clientes",
    "resourcesTableAndOnlyAccessibleInternally": "e são acessíveis apenas internamente quando conectados com um cliente.",
    "resourcesTableNoTargets": "Nenhum alvo",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
    "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
    "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
-    "orgAuthSignInToOrg": "Entrar em uma organização",
+    "orgAuthSignInToOrg": "Fazer login em uma organização",
    "orgAuthSelectOrgTitle": "Entrada da Organização",
    "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
    "orgAuthOrgIdPlaceholder": "sua-organização",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Voltar para entrada padrão",
    "orgAuthNoAccount": "Não possui uma conta?",
    "subscriptionRequiredToUse": "Uma assinatura é necessária para usar esse recurso.",
+    "mustUpgradeToUse": "Você deve atualizar sua assinatura para usar este recurso.",
+    "subscriptionRequiredTierToUse": "Esta função requer <tierLink>{tier}</tierLink> ou superior.",
+    "upgradeToTierToUse": "Atualize para <tierLink>{tier}</tierLink> ou superior para usar este recurso.",
+    "subscriptionTierTier1": "Residencial",
+    "subscriptionTierTier2": "Equipe",
+    "subscriptionTierTier3": "Empresas",
+    "subscriptionTierEnterprise": "Empresa",
    "idpDisabled": "Provedores de identidade estão desabilitados.",
    "orgAuthPageDisabled": "A página de autenticação da organização está desativada.",
    "domainRestartedDescription": "Verificação de domínio reiniciado com sucesso",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Obtenha uma licença",
+        "description": "Escolha um plano e nos diga como você planeja usar o Pangolin.",
+        "chooseTier": "Escolha seu plano",
+        "viewPricingLink": "Veja os preços, recursos e limites",
+        "tiers": {
+            "starter": {
+                "title": "Iniciante",
+                "description": "Recursos de empresa, 25 usuários, 25 sites e apoio da comunidade."
+            },
+            "scale": {
+                "title": "Escala",
+                "description": "Recursos de empresa, 50 usuários, 50 sites e apoio prioritário."
+            }
+        },
+        "personalUseOnly": "Apenas uso pessoal (licença gratuita — sem check-out)",
+        "buttons": {
+            "continueToCheckout": "Continuar com checkout"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Erro no check-out",
+                "description": "Não foi possível iniciar o checkout. Por favor, tente novamente."
+            }
+        }
+    },
    "priority": "Prioridade",
    "priorityDescription": "Rotas de alta prioridade são avaliadas primeiro. Prioridade = 100 significa ordem automática (decisões do sistema). Use outro número para aplicar prioridade manual.",
    "instanceName": "Nome da Instância",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
    "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
    "licenseRequiredToUse": "É necessária uma licença empresarial para usar esse recurso.",
+    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso.",
    "certResolver": "Resolvedor de Certificado",
    "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
    "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "O código deve ter 9 caracteres (ex.: A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Código inválido ou expirado",
    "deviceCodeVerifyFailed": "Falha ao verificar o código do dispositivo",
+    "deviceCodeValidating": "Validando código do dispositivo...",
+    "deviceCodeVerifying": "Verificando autorização do dispositivo...",
    "signedInAs": "Sessão iniciada como",
    "deviceCodeEnterPrompt": "Digite o código exibido no dispositivo",
    "continue": "Continuar",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Acesso a todas as organizações que sua conta tem acesso a",
    "deviceAuthorize": "Autorizar {applicationName}",
    "deviceConnected": "Dispositivo Conectado!",
-    "deviceAuthorizedMessage": "O dispositivo está autorizado a acessar sua conta.",
+    "deviceAuthorizedMessage": "O dispositivo está autorizado a acessar sua conta. Por favor, retorne ao aplicativo cliente.",
    "pangolinCloud": "Nuvem do Pangolin",
    "viewDevices": "Ver Dispositivos",
    "viewDevicesDescription": "Gerencie seus dispositivos conectados",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Não é você? Use uma conta diferente.",
    "deviceLoginDeviceRequestingAccessToAccount": "Um dispositivo está solicitando acesso a essa conta.",
+    "loginSelectAuthenticationMethod": "Selecione um método de autenticação para continuar.",
    "noData": "Nenhum dado encontrado",
    "machineClients": "Clientes de máquina",
    "install": "Instale",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Serviço Temporariamente Indisponível",
    "maintenanceScreenMessage": "Estamos enfrentando dificuldades técnicas no momento. Por favor, volte em breve.",
    "maintenanceScreenEstimatedCompletion": "Conclusão Estimada:",
-    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório"
+    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório",
+    "available": "Disponível",
+    "archived": "Arquivado",
+    "noArchivedDevices": "Nenhum dispositivo arquivado encontrado",
+    "deviceArchived": "Dispositivo arquivado",
+    "deviceArchivedDescription": "O dispositivo foi arquivado com sucesso.",
+    "errorArchivingDevice": "Erro ao arquivar dispositivo",
+    "failedToArchiveDevice": "Falha ao arquivar dispositivo",
+    "deviceQuestionArchive": "Tem certeza que deseja arquivar este dispositivo?",
+    "deviceMessageArchive": "O dispositivo será arquivado e removido da sua lista de dispositivos ativos.",
+    "deviceArchiveConfirm": "Arquivar dispositivo",
+    "archiveDevice": "Arquivar dispositivo",
+    "archive": "Arquivo",
+    "deviceUnarchived": "Dispositivo desarquivado",
+    "deviceUnarchivedDescription": "O dispositivo foi desarquivado com sucesso.",
+    "errorUnarchivingDevice": "Erro ao desarquivar dispositivo",
+    "failedToUnarchiveDevice": "Falha ao desarquivar dispositivo",
+    "unarchive": "Desarquivar",
+    "archiveClient": "Arquivar Cliente",
+    "archiveClientQuestion": "Tem certeza que deseja arquivar este cliente?",
+    "archiveClientMessage": "O cliente será arquivado e removido da sua lista de clientes ativos.",
+    "archiveClientConfirm": "Arquivar Cliente",
+    "blockClient": "Bloco do Cliente",
+    "blockClientQuestion": "Tem certeza que deseja bloquear este cliente?",
+    "blockClientMessage": "O dispositivo será forçado a desconectar se estiver conectado. Você pode desbloquear o dispositivo mais tarde.",
+    "blockClientConfirm": "Bloco do Cliente",
+    "active": "ativo",
+    "usernameOrEmail": "Usuário ou Email",
+    "selectYourOrganization": "Selecione sua organização",
+    "signInTo": "Iniciar sessão em",
+    "signInWithPassword": "Continuar com a senha",
+    "noAuthMethodsAvailable": "Nenhum método de autenticação disponível para esta organização.",
+    "enterPassword": "Digite sua senha",
+    "enterMfaCode": "Insira o código do seu aplicativo autenticador",
+    "securityKeyRequired": "Por favor, utilize sua chave de segurança para entrar.",
+    "needToUseAnotherAccount": "Precisa usar uma conta diferente?",
+    "loginLegalDisclaimer": "Ao clicar nos botões abaixo, você reconhece que leu, entende e concorda com os <termsOfService>Termos de Serviço</termsOfService> e a <privacyPolicy>Política de Privacidade</privacyPolicy>.",
+    "termsOfService": "Termos de Serviço",
+    "privacyPolicy": "Política de Privacidade",
+    "userNotFoundWithUsername": "Nenhum usuário encontrado com este nome de usuário.",
+    "verify": "Verificar",
+    "signIn": "Iniciar sessão",
+    "forgotPassword": "Esqueceu a senha?",
+    "orgSignInTip": "Se você já fez login antes, você pode digitar seu nome de usuário ou e-mail acima para autenticar com o provedor de identidade da sua organização. É mais fácil!",
+    "continueAnyway": "Continuar mesmo assim",
+    "dontShowAgain": "Não mostrar novamente",
+    "orgSignInNotice": "Você sabia?",
+    "signupOrgNotice": "Tentando fazer login?",
+    "signupOrgTip": "Você está tentando entrar através do provedor de identidade da sua organização?",
+    "signupOrgLink": "Faça login ou inscreva-se com sua organização em vez disso",
+    "verifyEmailLogInWithDifferentAccount": "Use uma Conta Diferente",
+    "logIn": "Iniciar sessão",
+    "deviceInformation": "Informações do dispositivo",
+    "deviceInformationDescription": "Informações sobre o dispositivo e o agente",
+    "deviceSecurity": "Segurança do dispositivo",
+    "deviceSecurityDescription": "Informações sobre postagem de segurança",
+    "platform": "Plataforma",
+    "macosVersion": "Versão do macOS",
+    "windowsVersion": "Versão do Windows",
+    "iosVersion": "Versão para iOS",
+    "androidVersion": "Versão do Android",
+    "osVersion": "Versão do SO",
+    "kernelVersion": "Versão do Kernel",
+    "deviceModel": "Modelo do dispositivo",
+    "serialNumber": "Número de Série",
+    "hostname": "Hostname",
+    "firstSeen": "Visto primeiro",
+    "lastSeen": "Visto por último",
+    "biometricsEnabled": "Biometria habilitada",
+    "diskEncrypted": "Disco criptografado",
+    "firewallEnabled": "Firewall habilitado",
+    "autoUpdatesEnabled": "Atualizações Automáticas Habilitadas",
+    "tpmAvailable": "TPM disponível",
+    "windowsAntivirusEnabled": "Antivírus habilitado",
+    "macosSipEnabled": "Proteção da Integridade do Sistema (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Furtivo do Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Ver informações e configurações do dispositivo",
+    "devicePendingApprovalDescription": "Este dispositivo está aguardando aprovação",
+    "deviceBlockedDescription": "Este dispositivo está bloqueado no momento. Ele não será capaz de se conectar a qualquer recurso a menos que seja desbloqueado.",
+    "unblockClient": "Desbloquear Cliente",
+    "unblockClientDescription": "O dispositivo foi desbloqueado",
+    "unarchiveClient": "Desarquivar Cliente",
+    "unarchiveClientDescription": "O dispositivo foi desarquivado",
+    "block": "Bloquear",
+    "unblock": "Desbloquear",
+    "deviceActions": "Ações do dispositivo",
+    "deviceActionsDescription": "Gerenciar status e acesso do dispositivo",
+    "devicePendingApprovalBannerDescription": "Este dispositivo está pendente de aprovação. Não será possível conectar-se a recursos até ser aprovado.",
+    "connected": "Conectado",
+    "disconnected": "Desconectado",
+    "approvalsEmptyStateTitle": "Aprovações do dispositivo não habilitado",
+    "approvalsEmptyStateDescription": "Habilitar aprovações do dispositivo para cargos que exigem aprovação do administrador antes que os usuários possam conectar novos dispositivos.",
+    "approvalsEmptyStateStep1Title": "Ir para Funções",
+    "approvalsEmptyStateStep1Description": "Navegue até as configurações dos papéis da sua organização para configurar as aprovações de dispositivo.",
+    "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
+    "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
+    "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
+    "approvalsEmptyStateButtonText": "Gerir Funções"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -18,6 +18,8 @@
    "componentsMember": "Вы состоите в {count, plural, =0 {0 организациях} one {# организации} few {# организациях} many {# организациях} other {# организациях}}.",
    "componentsInvalidKey": "Обнаружены недействительные или просроченные лицензионные ключи. Соблюдайте условия лицензии для использования всех функций.",
    "dismiss": "Отменить",
+    "subscriptionViolationMessage": "Вы превысили лимиты для вашего текущего плана. Исправьте проблему, удалив сайты, пользователей или другие ресурсы, чтобы остаться в пределах вашего плана.",
+    "subscriptionViolationViewBilling": "Просмотр биллинга",
    "componentsLicenseViolation": "Нарушение лицензии: Сервер использует {usedSites} сайтов, что превышает лицензионный лимит в {maxSites} сайтов. Соблюдайте условия лицензии для использования всех функций.",
    "componentsSupporterMessage": "Спасибо за поддержку Pangolin в качестве {tier}!",
    "inviteErrorNotValid": "Извините, но это приглашение не было принято или срок его действия истёк.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Подключить любую сеть",
    "sitesBannerDescription": "Сайт — это соединение с удаленной сетью, которое позволяет Pangolin предоставлять доступ к ресурсам, будь они общедоступными или частными, пользователям в любом месте. Установите сетевой коннектор сайта (Newt) там, где можно запустить исполняемый файл или контейнер, чтобы установить соединение.",
    "sitesBannerButtonText": "Установить сайт",
+    "approvalsBannerTitle": "Одобрить или запретить доступ к устройству",
+    "approvalsBannerDescription": "Просмотрите и подтвердите или отклоните запросы на доступ к устройству от пользователей. Когда требуется подтверждение устройства, пользователи должны получить одобрение администратора, прежде чем их устройства смогут подключиться к ресурсам вашей организации.",
+    "approvalsBannerButtonText": "Узнать больше",
    "siteCreate": "Создать сайт",
    "siteCreateDescription2": "Следуйте инструкциям ниже для создания и подключения нового сайта",
    "siteCreateDescription": "Создайте новый сайт для начала подключения ресурсов",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Поиск ролей...",
    "accessRolesAdd": "Добавить роль",
    "accessRoleDelete": "Удалить роль",
+    "accessApprovalsManage": "Управление утверждениями",
+    "accessApprovalsDescription": "Просмотр и управление утверждениями в ожидании доступа к этой организации",
    "description": "Описание",
    "inviteTitle": "Открытые приглашения",
    "inviteDescription": "Управление приглашениями для присоединения других пользователей к организации",
@@ -450,6 +457,18 @@
    "selectDuration": "Укажите срок действия",
    "selectResource": "Выберите ресурс",
    "filterByResource": "Фильтровать по ресурсам",
+    "selectApprovalState": "Выберите состояние одобрения",
+    "filterByApprovalState": "Фильтр по состоянию утверждения",
+    "approvalListEmpty": "Нет утверждений",
+    "approvalState": "Состояние одобрения",
+    "approve": "Одобрить",
+    "approved": "Одобрено",
+    "denied": "Отказано",
+    "deniedApproval": "Отказано в одобрении",
+    "all": "Все",
+    "deny": "Запретить",
+    "viewDetails": "Детали",
+    "requestingNewDeviceApproval": "запросил новое устройство",
    "resetFilters": "Сбросить фильтры",
    "totalBlocked": "Запросы заблокированы Панголином",
    "totalRequests": "Всего запросов",
@@ -729,16 +748,28 @@
    "countries": "Страны",
    "accessRoleCreate": "Создание роли",
    "accessRoleCreateDescription": "Создайте новую роль для группы пользователей и выдавайте им разрешения.",
+    "accessRoleEdit": "Изменить роль",
+    "accessRoleEditDescription": "Редактировать информацию о роли.",
    "accessRoleCreateSubmit": "Создать роль",
    "accessRoleCreated": "Роль создана",
    "accessRoleCreatedDescription": "Роль была успешно создана.",
    "accessRoleErrorCreate": "Не удалось создать роль",
    "accessRoleErrorCreateDescription": "Произошла ошибка при создании роли.",
+    "accessRoleUpdateSubmit": "Обновить роль",
+    "accessRoleUpdated": "Роль обновлена",
+    "accessRoleUpdatedDescription": "Роль была успешно обновлена.",
+    "accessApprovalUpdated": "Выполнено утверждение",
+    "accessApprovalApprovedDescription": "Принять решение об утверждении запроса.",
+    "accessApprovalDeniedDescription": "Отказано в запросе об утверждении.",
+    "accessRoleErrorUpdate": "Не удалось обновить роль",
+    "accessRoleErrorUpdateDescription": "Произошла ошибка при обновлении роли.",
+    "accessApprovalErrorUpdate": "Не удалось обработать подтверждение",
+    "accessApprovalErrorUpdateDescription": "Произошла ошибка при обработке одобрения.",
    "accessRoleErrorNewRequired": "Новая роль обязательна",
    "accessRoleErrorRemove": "Не удалось удалить роль",
    "accessRoleErrorRemoveDescription": "Произошла ошибка при удалении роли.",
    "accessRoleName": "Название роли",
-    "accessRoleQuestionRemove": "Вы собираетесь удалить роль {name}. Это действие нельзя отменить.",
+    "accessRoleQuestionRemove": "Вы собираетесь удалить `{name}` роль. Это действие нельзя отменить.",
    "accessRoleRemove": "Удалить роль",
    "accessRoleRemoveDescription": "Удалить роль из организации",
    "accessRoleRemoveSubmit": "Удалить роль",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Пожалуйста, обратитесь к администратору",
    "passwordResetSmtpRequiredDescription": "Для сброса пароля необходим код сброса пароля. Обратитесь к администратору за помощью.",
    "passwordBack": "Назад к паролю",
-    "loginBack": "Вернуться к входу",
+    "loginBack": "Вернуться на главную страницу входа",
    "signup": "Регистрация",
    "loginStart": "Войдите для начала работы",
    "idpOidcTokenValidating": "Проверка OIDC токена",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Обновить организацию IDP",
    "actionCreateClient": "Создать Клиента",
    "actionDeleteClient": "Удалить Клиента",
+    "actionArchiveClient": "Архивировать клиента",
+    "actionUnarchiveClient": "Разархивировать клиента",
+    "actionBlockClient": "Блокировать клиента",
+    "actionUnblockClient": "Разблокировать клиента",
    "actionUpdateClient": "Обновить Клиента",
    "actionListClients": "Список Клиентов",
    "actionGetClient": "Получить Клиента",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Поиск...",
    "create": "Создать",
    "orgs": "Организации",
-    "loginError": "Произошла ошибка при входе",
-    "loginRequiredForDevice": "Для аутентификации устройства необходимо войти в систему.",
+    "loginError": "Произошла непредвиденная ошибка. Пожалуйста, попробуйте еще раз.",
+    "loginRequiredForDevice": "Логин необходим для вашего устройства.",
    "passwordForgot": "Забыли пароль?",
    "otpAuth": "Двухфакторная аутентификация",
    "otpAuthDescription": "Введите код из вашего приложения-аутентификатора или один из ваших одноразовых резервных кодов.",
    "otpAuthSubmit": "Отправить код",
    "idpContinue": "Или продолжить с",
-    "otpAuthBack": "Вернуться к входу",
+    "otpAuthBack": "Назад к паролю",
    "navbar": "Навигационное меню",
    "navbarDescription": "Главное навигационное меню приложения",
    "navbarDocsLink": "Документация",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Обзор",
    "sidebarHome": "Главная",
    "sidebarSites": "Сайты",
+    "sidebarApprovals": "Запросы на утверждение",
    "sidebarResources": "Ресурсы",
    "sidebarProxyResources": "Публичный",
    "sidebarClientResources": "Приватный",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Поставщики удостоверений",
    "sidebarLicense": "Лицензия",
    "sidebarClients": "Клиенты",
-    "sidebarUserDevices": "Пользователи",
+    "sidebarUserDevices": "Устройства пользователя",
    "sidebarMachineClients": "Машины",
    "sidebarDomains": "Домены",
    "sidebarGeneral": "Управление",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Произошла ошибка при создании учётной записи администратора сервера.",
    "certificateStatus": "Статус сертификата",
    "loading": "Загрузка",
+    "loadingAnalytics": "Загрузка аналитики",
    "restart": "Перезагрузка",
    "domains": "Домены",
    "domainsDescription": "Создание и управление доменами, доступными в организации",
@@ -1304,6 +1341,7 @@
    "refreshError": "Не удалось обновить данные",
    "verified": "Подтверждено",
    "pending": "В ожидании",
+    "pendingApproval": "Ожидает утверждения",
    "sidebarBilling": "Выставление счетов",
    "billing": "Выставление счетов",
    "orgBillingDescription": "Управление платежной информацией и подписками",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Обзор лимитов использования",
    "billingMonitorUsage": "Контролируйте использование в соответствии с установленными лимитами. Если вам требуется увеличение лимитов, пожалуйста, свяжитесь с нами support@pangolin.net.",
    "billingDataUsage": "Использование данных",
-    "billingOnlineTime": "Время работы сайта",
-    "billingUsers": "Активные пользователи",
-    "billingDomains": "Активные домены",
-    "billingRemoteExitNodes": "Активные самоуправляемые узлы",
+    "billingSites": "Сайты",
+    "billingUsers": "Пользователи",
+    "billingDomains": "Домены",
+    "billingRemoteExitNodes": "Удаленные узлы",
    "billingNoLimitConfigured": "Лимит не установлен",
    "billingEstimatedPeriod": "Предполагаемый период выставления счетов",
    "billingIncludedUsage": "Включенное использование",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Не удалось получить URL-адрес портала",
    "billingPortalError": "Ошибка портала",
    "billingDataUsageInfo": "Вы несете ответственность за все данные, переданные через безопасные туннели при подключении к облаку. Это включает как входящий, так и исходящий трафик на всех ваших сайтах. При достижении лимита ваши сайты будут отключаться до тех пор, пока вы не обновите план или не уменьшите его использование. При использовании узлов не взимается плата.",
-    "billingOnlineTimeInfo": "Вы тарифицируете на то, как долго ваши сайты будут подключены к облаку. Например, 44 640 минут равны одному сайту, работающему круглосуточно за весь месяц. Когда вы достигните лимита, ваши сайты будут отключаться до тех пор, пока вы не обновите тарифный план или не сократите нагрузку. При использовании узлов не тарифицируется.",
-    "billingUsersInfo": "Вы оплачиваете за каждого пользователя в организации. Платеж рассчитывается ежедневно в зависимости от количества активных учетных записей в вашем органе.",
-    "billingDomainInfo": "Вы платите за каждый домен в организации. Платеж рассчитывается ежедневно в зависимости от количества активных доменных аккаунтов в вашем органе.",
-    "billingRemoteExitNodesInfo": "Вы платите за каждый управляемый узел организации. Платёж рассчитывается ежедневно на основе количества активных управляемых узлов в вашем органе.",
+    "billingSInfo": "Сколько сайтов вы можете использовать",
+    "billingUsersInfo": "Сколько пользователей вы можете использовать",
+    "billingDomainInfo": "Сколько доменов вы можете использовать",
+    "billingRemoteExitNodesInfo": "Сколько удаленных узлов вы можете использовать",
+    "billingLicenseKeys": "Лицензионные ключи",
+    "billingLicenseKeysDescription": "Управление подписками на лицензионные ключи",
+    "billingLicenseSubscription": "Лицензионное соглашение",
+    "billingInactive": "Неактивный",
+    "billingLicenseItem": "Элемент лицензии",
+    "billingQuantity": "Количество",
+    "billingTotal": "итого",
+    "billingModifyLicenses": "Изменить лицензию подписки",
    "domainNotFound": "Домен не найден",
    "domainNotFoundDescription": "Этот ресурс отключен, так как домен больше не существует в нашей системе. Пожалуйста, установите новый домен для этого ресурса.",
    "failed": "Ошибка",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Ключ безопасности успешно удален",
    "securityKeyRemoveError": "Не удалось удалить ключ безопасности",
    "securityKeyLoadError": "Не удалось загрузить ключи безопасности",
-    "securityKeyLogin": "Продолжить с ключом безопасности",
+    "securityKeyLogin": "Использовать ключ безопасности",
    "securityKeyAuthError": "Не удалось аутентифицироваться с ключом безопасности",
    "securityKeyRecommendation": "Зарегистрируйте резервный ключ безопасности на другом устройстве, чтобы всегда иметь доступ к вашему аккаунту.",
    "registering": "Регистрация...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "Номер порта необходим для не-HTTP ресурсов",
    "resourcePortNotAllowed": "Номер порта не должен быть установлен для HTTP ресурсов",
    "billingPricingCalculatorLink": "Калькулятор расценок",
+    "billingYourPlan": "Ваш план",
+    "billingViewOrModifyPlan": "Просмотреть или изменить ваш текущий тариф",
+    "billingViewPlanDetails": "Подробности плана",
+    "billingUsageAndLimits": "Использование и ограничения",
+    "billingViewUsageAndLimits": "Просмотр лимитов и текущего использования вашего плана",
+    "billingCurrentUsage": "Текущее использование",
+    "billingMaximumLimits": "Максимальные ограничения",
+    "billingRemoteNodes": "Удаленные узлы",
+    "billingUnlimited": "Неограниченный",
+    "billingPaidLicenseKeys": "Платные лицензионные ключи",
+    "billingManageLicenseSubscription": "Управление подпиской на платные лицензионные ключи собственного хостинга",
+    "billingCurrentKeys": "Текущие ключи",
+    "billingModifyCurrentPlan": "Изменить текущий план",
+    "billingConfirmUpgrade": "Подтвердить обновление",
+    "billingConfirmDowngrade": "Подтверждение понижения",
+    "billingConfirmUpgradeDescription": "Вы собираетесь обновить тарифный план. Проверьте новые лимиты и цены ниже.",
+    "billingConfirmDowngradeDescription": "Вы собираетесь понизить тарифный план. Проверьте новые ограничения и цены ниже.",
+    "billingPlanIncludes": "Включает план",
+    "billingProcessing": "Обработка...",
+    "billingConfirmUpgradeButton": "Подтвердить обновление",
+    "billingConfirmDowngradeButton": "Подтверждение понижения",
+    "billingLimitViolationWarning": "Превышено количество новых лимитов плана",
+    "billingLimitViolationDescription": "Ваше текущее использование превышает лимиты этого плана. После понижения значения все действия будут отключены до уменьшения использования в пределах новых лимитов. Пожалуйста, ознакомьтесь с функциями, которые в настоящее время превышают лимиты. Ограничения:",
+    "billingFeatureLossWarning": "Уведомление о доступности функций",
+    "billingFeatureLossDescription": "При переходе на другой тарифный план функции не будут автоматически отключены. Некоторые настройки и конфигурации могут быть потеряны. Пожалуйста, ознакомьтесь с матрицей ценообразования, чтобы понять, какие функции больше не будут доступны.",
+    "billingUsageExceedsLimit": "Текущее использование ({current}) превышает предел ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "Я согласен с",
        "termsOfService": "условия использования",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Интервал здоровых состояний",
    "timeoutSeconds": "Таймаут (сек)",
    "timeIsInSeconds": "Время указано в секундах",
+    "requireDeviceApproval": "Требовать подтверждения устройства",
+    "requireDeviceApprovalDescription": "Пользователям с этой ролью нужны новые устройства, одобренные администратором, прежде чем они смогут подключаться и получать доступ к ресурсам.",
    "retryAttempts": "Количество попыток повторного запроса",
    "expectedResponseCodes": "Ожидаемые коды ответов",
    "expectedResponseCodesDescription": "HTTP-код состояния, указывающий на здоровое состояние. Если оставить пустым, 200-300 считается здоровым.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Внутренних ресурсов не найдено.",
    "resourcesTableDestination": "Пункт назначения",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Псевдоним адреса",
+    "resourcesTableAliasAddressInfo": "Этот адрес является частью вспомогательной подсети организации. Он используется для разрешения псевдонимов с использованием внутреннего разрешения DNS.",
    "resourcesTableClients": "Клиенты",
    "resourcesTableAndOnlyAccessibleInternally": "и доступны только внутренне при подключении с клиентом.",
    "resourcesTableNoTargets": "Нет ярлыков",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
    "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
    "orgAuthSignInWithPangolin": "Войти через Pangolin",
-    "orgAuthSignInToOrg": "Войдите в организацию",
+    "orgAuthSignInToOrg": "Войти в организацию",
    "orgAuthSelectOrgTitle": "Вход в организацию",
    "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
    "orgAuthOrgIdPlaceholder": "ваша-организация",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Вернуться к стандартному входу",
    "orgAuthNoAccount": "Нет учётной записи?",
    "subscriptionRequiredToUse": "Для использования этой функции требуется подписка.",
+    "mustUpgradeToUse": "Вы должны обновить подписку, чтобы использовать эту функцию.",
+    "subscriptionRequiredTierToUse": "Эта функция требует <tierLink>{tier}</tierLink> или выше.",
+    "upgradeToTierToUse": "Обновитесь до <tierLink>{tier}</tierLink> или выше, чтобы использовать эту функцию.",
+    "subscriptionTierTier1": "Главная",
+    "subscriptionTierTier2": "Команда",
+    "subscriptionTierTier3": "Бизнес",
+    "subscriptionTierEnterprise": "Предприятие",
    "idpDisabled": "Провайдеры идентификации отключены.",
    "orgAuthPageDisabled": "Страница авторизации организации отключена.",
    "domainRestartedDescription": "Проверка домена успешно перезапущена",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Получить лицензию",
+        "description": "Выберите план и расскажите нам, как вы планируете использовать Панголин.",
+        "chooseTier": "Выберите ваш план",
+        "viewPricingLink": "Смотрите цены, возможности и ограничения",
+        "tiers": {
+            "starter": {
+                "title": "Старт",
+                "description": "Функции предприятия, 25 пользователей, 25 сайтов, и поддержка сообщества."
+            },
+            "scale": {
+                "title": "Масштаб",
+                "description": "Функции предприятия, 50 пользователей, 50 сайтов, а также приоритетная поддержка."
+            }
+        },
+        "personalUseOnly": "Только для личного пользования (бесплатная лицензия — без оформления)",
+        "buttons": {
+            "continueToCheckout": "Продолжить оформление заказа"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Ошибка оформления заказа",
+                "description": "Не удалось начать оформление заказа. Пожалуйста, попробуйте еще раз."
+            }
+        }
+    },
    "priority": "Приоритет",
    "priorityDescription": "Маршруты с более высоким приоритетом оцениваются первым. Приоритет = 100 означает автоматическое упорядочение (решение системы). Используйте другой номер для обеспечения ручного приоритета.",
    "instanceName": "Имя экземпляра",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
    "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
    "licenseRequiredToUse": "Для использования этой функции требуется лицензия предприятия.",
+    "ossEnterpriseEditionRequired": "Для использования этой функции требуется корпоративная версия <enterpriseEditionLink></enterpriseEditionLink>.",
    "certResolver": "Резольвер сертификата",
    "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
    "selectCertResolver": "Выберите резолвер сертификата",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Код должен быть 9 символов (например, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Неверный или просроченный код",
    "deviceCodeVerifyFailed": "Не удалось проверить код устройства",
+    "deviceCodeValidating": "Проверка кода устройства...",
+    "deviceCodeVerifying": "Проверка авторизации устройства...",
    "signedInAs": "Вы вошли как",
    "deviceCodeEnterPrompt": "Введите код, отображаемый на устройстве",
    "continue": "Продолжить",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Доступ ко всем организациям, к которым ваш аккаунт имеет доступ",
    "deviceAuthorize": "Авторизовать {applicationName}",
    "deviceConnected": "Устройство подключено!",
-    "deviceAuthorizedMessage": "Устройство авторизовано для доступа к вашей учетной записи.",
+    "deviceAuthorizedMessage": "Устройство авторизовано для доступа к вашей учетной записи. Вернитесь в клиентское приложение.",
    "pangolinCloud": "Облако Панголина",
    "viewDevices": "Просмотр устройств",
    "viewDevicesDescription": "Управление подключенными устройствами",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Не вы? Используйте другую учетную запись.",
    "deviceLoginDeviceRequestingAccessToAccount": "Устройство запрашивает доступ к этой учетной записи.",
+    "loginSelectAuthenticationMethod": "Выберите метод аутентификации для продолжения.",
    "noData": "Нет данных",
    "machineClients": "Машинные клиенты",
    "install": "Установить",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Сервис временно недоступен",
    "maintenanceScreenMessage": "В настоящее время мы испытываем технические трудности. Пожалуйста, зайдите позже.",
    "maintenanceScreenEstimatedCompletion": "Предполагаемое завершение:",
-    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес."
+    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес.",
+    "available": "Доступно",
+    "archived": "Архивировано",
+    "noArchivedDevices": "Архивные устройства не найдены",
+    "deviceArchived": "Устройство архивировано",
+    "deviceArchivedDescription": "Устройство успешно архивировано.",
+    "errorArchivingDevice": "Ошибка архивирования устройства",
+    "failedToArchiveDevice": "Не удалось архивировать устройство",
+    "deviceQuestionArchive": "Вы уверены, что хотите архивировать это устройство?",
+    "deviceMessageArchive": "Устройство будет архивировано и удалено из вашего списка активных устройств.",
+    "deviceArchiveConfirm": "Архивировать устройство",
+    "archiveDevice": "Архивировать устройство",
+    "archive": "Архивировать",
+    "deviceUnarchived": "Устройство разархивировано",
+    "deviceUnarchivedDescription": "Устройство было успешно разархивировано.",
+    "errorUnarchivingDevice": "Ошибка разархивирования устройства",
+    "failedToUnarchiveDevice": "Не удалось распаковать устройство",
+    "unarchive": "Разархивировать",
+    "archiveClient": "Архивировать клиента",
+    "archiveClientQuestion": "Вы уверены, что хотите архивировать этого клиента?",
+    "archiveClientMessage": "Клиент будет архивирован и удален из вашего активного списка клиентов.",
+    "archiveClientConfirm": "Архивировать клиента",
+    "blockClient": "Блокировать клиента",
+    "blockClientQuestion": "Вы уверены, что хотите заблокировать этого клиента?",
+    "blockClientMessage": "Устройство будет вынуждено отключиться, если подключено в данный момент. Вы можете разблокировать устройство позже.",
+    "blockClientConfirm": "Блокировать клиента",
+    "active": "Активный",
+    "usernameOrEmail": "Имя пользователя или Email",
+    "selectYourOrganization": "Выберите вашу организацию",
+    "signInTo": "Войти в",
+    "signInWithPassword": "Продолжить с паролем",
+    "noAuthMethodsAvailable": "Методы аутентификации для этой организации недоступны.",
+    "enterPassword": "Введите ваш пароль",
+    "enterMfaCode": "Введите код из вашего приложения-аутентификатора",
+    "securityKeyRequired": "Пожалуйста, используйте ваш защитный ключ для входа.",
+    "needToUseAnotherAccount": "Нужно использовать другой аккаунт?",
+    "loginLegalDisclaimer": "Нажимая на кнопки ниже, вы подтверждаете, что прочитали, поняли и согласны с <termsOfService>Условиями использования</termsOfService> и <privacyPolicy>Политикой конфиденциальности</privacyPolicy>.",
+    "termsOfService": "Условия предоставления услуг",
+    "privacyPolicy": "Политика конфиденциальности",
+    "userNotFoundWithUsername": "Пользователь с таким именем пользователя не найден.",
+    "verify": "Подтвердить",
+    "signIn": "Войти",
+    "forgotPassword": "Забыли пароль?",
+    "orgSignInTip": "Если вы вошли в систему ранее, вы можете ввести имя пользователя или адрес электронной почты, чтобы войти в систему с поставщиком идентификации вашей организации. Это проще!",
+    "continueAnyway": "Все равно продолжить",
+    "dontShowAgain": "Больше не показывать",
+    "orgSignInNotice": "Знаете ли вы?",
+    "signupOrgNotice": "Пытаетесь войти?",
+    "signupOrgTip": "Вы пытаетесь войти через оператора идентификации вашей организации?",
+    "signupOrgLink": "Войдите или зарегистрируйтесь через вашу организацию",
+    "verifyEmailLogInWithDifferentAccount": "Использовать другую учетную запись",
+    "logIn": "Войти",
+    "deviceInformation": "Информация об устройстве",
+    "deviceInformationDescription": "Информация о устройстве и агенте",
+    "deviceSecurity": "Безопасность устройства",
+    "deviceSecurityDescription": "Информация о позе безопасности устройства",
+    "platform": "Платформа",
+    "macosVersion": "Версия macOS",
+    "windowsVersion": "Версия Windows",
+    "iosVersion": "Версия iOS",
+    "androidVersion": "Версия Android",
+    "osVersion": "Версия ОС",
+    "kernelVersion": "Версия ядра",
+    "deviceModel": "Модель устройства",
+    "serialNumber": "Серийный номер",
+    "hostname": "Hostname",
+    "firstSeen": "Первый раз виден",
+    "lastSeen": "Последнее посещение",
+    "biometricsEnabled": "Включены биометрические данные",
+    "diskEncrypted": "Диск зашифрован",
+    "firewallEnabled": "Брандмауэр включен",
+    "autoUpdatesEnabled": "Автоматические обновления включены",
+    "tpmAvailable": "Доступно TPM",
+    "windowsAntivirusEnabled": "Антивирус включен",
+    "macosSipEnabled": "Защита целостности системы (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Стилс-режим брандмауэра",
+    "linuxAppArmorEnabled": "Броня",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Просмотр информации и настроек устройства",
+    "devicePendingApprovalDescription": "Это устройство ожидает одобрения",
+    "deviceBlockedDescription": "Это устройство заблокировано. Оно не сможет подключаться к ресурсам, если не разблокировано.",
+    "unblockClient": "Разблокировать клиента",
+    "unblockClientDescription": "Устройство разблокировано",
+    "unarchiveClient": "Разархивировать клиента",
+    "unarchiveClientDescription": "Устройство было разархивировано",
+    "block": "Блок",
+    "unblock": "Разблокировать",
+    "deviceActions": "Действия устройства",
+    "deviceActionsDescription": "Управление статусом устройства и доступом",
+    "devicePendingApprovalBannerDescription": "Это устройство ожидает одобрения. Он не сможет подключиться к ресурсам до утверждения.",
+    "connected": "Подключено",
+    "disconnected": "Отключено",
+    "approvalsEmptyStateTitle": "Утверждения устройства не включены",
+    "approvalsEmptyStateDescription": "Включите одобрение ролей для того, чтобы пользователи могли подключать новые устройства.",
+    "approvalsEmptyStateStep1Title": "Перейти к ролям",
+    "approvalsEmptyStateStep1Description": "Перейдите в настройки ролей вашей организации для настройки утверждений устройств.",
+    "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
+    "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
+    "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
+    "approvalsEmptyStateButtonText": "Управление ролями"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -18,6 +18,8 @@
    "componentsMember": "{count, plural, =0 {hiçbir organizasyon} one {bir organizasyon} other {# organizasyon}} üyesisiniz.",
    "componentsInvalidKey": "Geçersiz veya süresi dolmuş lisans anahtarları tespit edildi. Tüm özellikleri kullanmaya devam etmek için lisans koşullarına uyun.",
    "dismiss": "Kapat",
+    "subscriptionViolationMessage": "Geçerli planınız için limitlerinizi aştınız. Planınız dahilinde kalmak için siteleri, kullanıcıları veya diğer kaynakları kaldırarak sorunu düzeltin.",
+    "subscriptionViolationViewBilling": "Faturalamayı görüntüle",
    "componentsLicenseViolation": "Lisans İhlali: Bu sunucu, lisanslı sınırı olan {maxSites} sitesini aşarak {usedSites} site kullanmaktadır. Tüm özellikleri kullanmaya devam etmek için lisans koşullarına uyun.",
    "componentsSupporterMessage": "Pangolin'e {tier} olarak destek olduğunuz için teşekkür ederiz!",
    "inviteErrorNotValid": "Üzgünüz, ancak erişmeye çalıştığınız davet kabul edilmemiş veya artık geçerli değil gibi görünüyor.",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "Herhangi Bir Ağa Bağlan",
    "sitesBannerDescription": "Bir site, Pangolin'in kullanıcılara, halka açık veya özel kaynaklara, her yerden erişim sağlamak için uzak bir ağa bağlantı sunmasıdır. Site ağı bağlantısını (Newt) çalıştırabileceğiniz her yere kurarak bağlantıyı kurunuz.",
    "sitesBannerButtonText": "Site Kur",
+    "approvalsBannerTitle": "Cihaz Erişimini Onayla veya Reddet",
+    "approvalsBannerDescription": "Kullanıcılardan gelen cihaz erişim isteklerini gözden geçirin ve onaylayın veya reddedin. Cihaz onaylarının gerekli olduğu durumlarda, kullanıcıların cihazlarının kuruluşunuzun kaynaklarına bağlanabilmesi için yönetici onayı alması gerekecektir.",
+    "approvalsBannerButtonText": "Daha fazla bilgi",
    "siteCreate": "Site Oluştur",
    "siteCreateDescription2": "Yeni bir site oluşturup bağlanmak için aşağıdaki adımları izleyin",
    "siteCreateDescription": "Kaynaklarınızı bağlamaya başlamak için yeni bir site oluşturun",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "Rolleri ara...",
    "accessRolesAdd": "Rol Ekle",
    "accessRoleDelete": "Rolü Sil",
+    "accessApprovalsManage": "Onayları Yönet",
+    "accessApprovalsDescription": "Bu kuruluşa erişim için bekleyen onayları görüntüleyin ve yönetin",
    "description": "Açıklama",
    "inviteTitle": "Açık Davetiyeler",
    "inviteDescription": "Organizasyona katılmak için diğer kullanıcılar için davetleri yönetin",
@@ -450,6 +457,18 @@
    "selectDuration": "Süreyi seçin",
    "selectResource": "Kaynak Seçin",
    "filterByResource": "Kaynağa Göre Filtrele",
+    "selectApprovalState": "Onay Durumunu Seçin",
+    "filterByApprovalState": "Onay Durumuna Göre Filtrele",
+    "approvalListEmpty": "Onay yok",
+    "approvalState": "Onay Durumu",
+    "approve": "Onayla",
+    "approved": "Onaylandı",
+    "denied": "Reddedildi",
+    "deniedApproval": "Reddedilen Onay",
+    "all": "Tümü",
+    "deny": "Reddet",
+    "viewDetails": "Ayrıntıları Gör",
+    "requestingNewDeviceApproval": "yeni bir cihaz talep etti",
    "resetFilters": "Filtreleri Sıfırla",
    "totalBlocked": "Pangolin Tarafından Engellenen İstekler",
    "totalRequests": "Toplam İstekler",
@@ -729,11 +748,23 @@
    "countries": "Ülkeler",
    "accessRoleCreate": "Rol Oluştur",
    "accessRoleCreateDescription": "Kullanıcıları gruplamak ve izinlerini yönetmek için yeni bir rol oluşturun.",
+    "accessRoleEdit": "Rol Düzenle",
+    "accessRoleEditDescription": "Rol bilgilerini düzenleyin.",
    "accessRoleCreateSubmit": "Rol Oluştur",
    "accessRoleCreated": "Rol oluşturuldu",
    "accessRoleCreatedDescription": "Rol başarıyla oluşturuldu.",
    "accessRoleErrorCreate": "Rol oluşturulamadı",
    "accessRoleErrorCreateDescription": "Rol oluşturulurken bir hata oluştu.",
+    "accessRoleUpdateSubmit": "Rolü Güncelle",
+    "accessRoleUpdated": "Rol güncellendi",
+    "accessRoleUpdatedDescription": "Rol başarıyla güncellendi.",
+    "accessApprovalUpdated": "Onay işlendi",
+    "accessApprovalApprovedDescription": "Onay İsteği kararını onaylandı olarak ayarlayın.",
+    "accessApprovalDeniedDescription": "Onay İsteği kararını reddedildi olarak ayarlayın.",
+    "accessRoleErrorUpdate": "Rol güncellenemedi",
+    "accessRoleErrorUpdateDescription": "Rol güncellenirken bir hata oluştu.",
+    "accessApprovalErrorUpdate": "Onay işlenemedi",
+    "accessApprovalErrorUpdateDescription": "Onay işlenirken bir hata oluştu.",
    "accessRoleErrorNewRequired": "Yeni rol gerekli",
    "accessRoleErrorRemove": "Rol kaldırılamadı",
    "accessRoleErrorRemoveDescription": "Rol kaldırılırken bir hata oluştu.",
@@ -874,7 +905,7 @@
    "inviteAlready": "Davetiye gönderilmiş gibi görünüyor!",
    "inviteAlreadyDescription": "Daveti kabul etmek için giriş yapmalı veya bir hesap oluşturmalısınız.",
    "signupQuestion": "Zaten bir hesabınız var mı?",
-    "login": "Giriş yap",
+    "login": "Giriş Yap",
    "resourceNotFound": "No resources found",
    "resourceNotFoundDescription": "Erişmeye çalıştığınız kaynak mevcut değil.",
    "pincodeRequirementsLength": "PIN kesinlikle 6 haneli olmalıdır",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "Yönetici ile iletişime geçin",
    "passwordResetSmtpRequiredDescription": "Parolanızı sıfırlamak için bir parola sıfırlama kodu gereklidir. Yardım için yönetici ile iletişime geçin.",
    "passwordBack": "Şifreye Geri Dön",
-    "loginBack": "Girişe geri dön",
+    "loginBack": "Ana oturum açma sayfasına geri dön",
    "signup": "Kaydol",
    "loginStart": "Başlamak için giriş yapın",
    "idpOidcTokenValidating": "OIDC token'ı doğrulanıyor",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "Kimlik Sağlayıcı Organizasyonu Güncelle",
    "actionCreateClient": "Müşteri Oluştur",
    "actionDeleteClient": "Müşteri Sil",
+    "actionArchiveClient": "İstemci Arşivle",
+    "actionUnarchiveClient": "İstemci Arşivini Kaldır",
+    "actionBlockClient": "İstemci Engelle",
+    "actionUnblockClient": "İstemci Engelini Kaldır",
    "actionUpdateClient": "Müşteri Güncelle",
    "actionListClients": "Müşterileri Listele",
    "actionGetClient": "Müşteriyi Al",
@@ -1134,14 +1169,14 @@
    "searchProgress": "Ara...",
    "create": "Oluştur",
    "orgs": "Organizasyonlar",
-    "loginError": "Giriş yaparken bir hata oluştu",
-    "loginRequiredForDevice": "Cihazınızı kimlik doğrulamak için giriş yapılması gereklidir.",
+    "loginError": "Beklenmeyen bir hata oluştu. Lütfen tekrar deneyin.",
+    "loginRequiredForDevice": "Cihazınız için oturum açmanız gerekiyor.",
    "passwordForgot": "Şifrenizi mi unuttunuz?",
    "otpAuth": "İki Faktörlü Kimlik Doğrulama",
    "otpAuthDescription": "Authenticator uygulamanızdan veya tek kullanımlık yedek kodlarınızdan birini girin.",
    "otpAuthSubmit": "Kodu Gönder",
    "idpContinue": "Veya devam et:",
-    "otpAuthBack": "Girişe Dön",
+    "otpAuthBack": "Şifreye Geri Dön",
    "navbar": "Navigasyon Menüsü",
    "navbarDescription": "Uygulamanın ana navigasyon menüsü",
    "navbarDocsLink": "Dokümantasyon",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "Genel Bakış",
    "sidebarHome": "Ana Sayfa",
    "sidebarSites": "Siteler",
+    "sidebarApprovals": "Onay Talepleri",
    "sidebarResources": "Kaynaklar",
    "sidebarProxyResources": "Herkese Açık",
    "sidebarClientResources": "Özel",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
    "sidebarLicense": "Lisans",
    "sidebarClients": "İstemciler",
-    "sidebarUserDevices": "Kullanıcılar",
+    "sidebarUserDevices": "Kullanıcı Cihazları",
    "sidebarMachineClients": "Makineler",
    "sidebarDomains": "Alan Adları",
    "sidebarGeneral": "Yönet",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "Sunucu yönetici hesabı oluşturulurken bir hata oluştu.",
    "certificateStatus": "Sertifika Durumu",
    "loading": "Yükleniyor",
+    "loadingAnalytics": "Analiz Yükleniyor",
    "restart": "Yeniden Başlat",
    "domains": "Alan Adları",
    "domainsDescription": "Organizasyonda kullanılabilir alan adlarını oluşturun ve yönetin",
@@ -1304,6 +1341,7 @@
    "refreshError": "Veriler yenilenemedi",
    "verified": "Doğrulandı",
    "pending": "Beklemede",
+    "pendingApproval": "Bekleyen Onay",
    "sidebarBilling": "Faturalama",
    "billing": "Faturalama",
    "orgBillingDescription": "Fatura bilgilerinizi ve aboneliklerinizi yönetin",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "Kullanım Limitleri Genel Görünümü",
    "billingMonitorUsage": "Kullanımınızı yapılandırılmış limitlerle karşılaştırın. Limitlerin artırılmasına ihtiyacınız varsa, lütfen support@pangolin.net adresinden bizimle iletişime geçin.",
    "billingDataUsage": "Veri Kullanımı",
-    "billingOnlineTime": "Site Çevrimiçi Süresi",
-    "billingUsers": "Aktif Kullanıcılar",
-    "billingDomains": "Aktif Alanlar",
-    "billingRemoteExitNodes": "Aktif Öz-Host Düğümleri",
+    "billingSites": "Siteler",
+    "billingUsers": "Kullanıcılar",
+    "billingDomains": "Alan Adları",
+    "billingRemoteExitNodes": "Uzak Düğümler",
    "billingNoLimitConfigured": "Hiçbir limit yapılandırılmadı",
    "billingEstimatedPeriod": "Tahmini Fatura Dönemi",
    "billingIncludedUsage": "Dahil Kullanım",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "Portal URL'si alınamadı",
    "billingPortalError": "Portal Hatası",
    "billingDataUsageInfo": "Buluta bağlandığınızda, güvenli tünellerinizden aktarılan tüm verilerden ücret alınırsınız. Bu, tüm sitelerinizdeki gelen ve giden trafiği içerir. Limitinize ulaştığınızda, planınızı yükseltmeli veya kullanımı azaltmalısınız, aksi takdirde siteleriniz bağlantıyı keser. Düğümler kullanırken verilerden ücret alınmaz.",
-    "billingOnlineTimeInfo": "Sitelerinizin buluta ne kadar süre bağlı kaldığına göre ücretlendirilirsiniz. Örneğin, 44,640 dakika, bir sitenin 24/7 boyunca tam bir ay boyunca çalışması anlamına gelir. Limitinize ulaştığınızda, planınızı yükseltmeyip kullanımı azaltmazsanız siteleriniz bağlantıyı keser. Düğümler kullanırken zamandan ücret alınmaz.",
-    "billingUsersInfo": "Kuruluşunuzdaki her kullanıcı için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif kullanıcı hesaplarının sayısına göre günlük olarak hesaplanır.",
-    "billingDomainInfo": "Kuruluşunuzdaki her alan adı için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif alan adları hesaplarının sayısına göre günlük olarak hesaplanır.",
-    "billingRemoteExitNodesInfo": "Kuruluşunuzdaki her yönetilen Düğüm için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif yönetilen Düğümler sayısına göre günlük olarak hesaplanır.",
+    "billingSInfo": "Kaç tane site kullanabileceğiniz",
+    "billingUsersInfo": "Kaç tane kullanıcı kullanabileceğiniz",
+    "billingDomainInfo": "Kaç tane alan adı kullanabileceğiniz",
+    "billingRemoteExitNodesInfo": "Kaç tane uzaktan düğüm kullanabileceğiniz",
+    "billingLicenseKeys": "Lisans Anahtarları",
+    "billingLicenseKeysDescription": "Lisans anahtarı aboneliklerinizi yönetin",
+    "billingLicenseSubscription": "Lisans Aboneliği",
+    "billingInactive": "Pasif",
+    "billingLicenseItem": "Lisans Öğesi",
+    "billingQuantity": "Miktar",
+    "billingTotal": "toplam",
+    "billingModifyLicenses": "Lisans Aboneliğini Düzenle",
    "domainNotFound": "Alan Adı Bulunamadı",
    "domainNotFoundDescription": "Bu kaynak devre dışıdır çünkü alan adı sistemimizde artık mevcut değil. Bu kaynak için yeni bir alan adı belirleyin.",
    "failed": "Başarısız",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "Güvenlik anahtarı başarıyla kaldırıldı",
    "securityKeyRemoveError": "Güvenlik anahtarı kaldırılırken hata oluştu",
    "securityKeyLoadError": "Güvenlik anahtarları yüklenirken hata oluştu",
-    "securityKeyLogin": "Güvenlik anahtarı ile devam edin",
+    "securityKeyLogin": "Güvenlik Anahtarı Kullan",
    "securityKeyAuthError": "Güvenlik anahtarı ile kimlik doğrulama başarısız oldu",
    "securityKeyRecommendation": "Hesabınızdan kilitlenmediğinizden emin olmak için farklı bir cihazda başka bir güvenlik anahtarı kaydetmeyi düşünün.",
    "registering": "Kaydediliyor...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "HTTP dışı kaynaklar için bağlantı noktası numarası gereklidir",
    "resourcePortNotAllowed": "HTTP kaynakları için bağlantı noktası numarası ayarlanmamalı",
    "billingPricingCalculatorLink": "Fiyat Hesaplayıcı",
+    "billingYourPlan": "Planınız",
+    "billingViewOrModifyPlan": "Mevcut planınızı görüntüleyin veya düzenleyin",
+    "billingViewPlanDetails": "Plan Detaylarını Görüntüle",
+    "billingUsageAndLimits": "Kullanım ve Sınırlar",
+    "billingViewUsageAndLimits": "Planınızın limitlerini ve mevcut kullanım durumunu görüntüleyin",
+    "billingCurrentUsage": "Mevcut Kullanım",
+    "billingMaximumLimits": "Maksimum Sınırlar",
+    "billingRemoteNodes": "Uzak Düğümler",
+    "billingUnlimited": "Sınırsız",
+    "billingPaidLicenseKeys": "Ücretli Lisans Anahtarları",
+    "billingManageLicenseSubscription": "Kendi barındırdığınız ücretli lisans anahtarları için aboneliğinizi yönetin",
+    "billingCurrentKeys": "Mevcut Anahtarlar",
+    "billingModifyCurrentPlan": "Mevcut Planı Düzenle",
+    "billingConfirmUpgrade": "Yükseltmeyi Onayla",
+    "billingConfirmDowngrade": "Düşürmeyi Onayla",
+    "billingConfirmUpgradeDescription": "Planınızı yükseltmek üzeresiniz. Yeni limitleri ve fiyatları aşağıda inceleyin.",
+    "billingConfirmDowngradeDescription": "Planınızı düşürmek üzeresiniz. Yeni limitleri ve fiyatları aşağıda inceleyin.",
+    "billingPlanIncludes": "Plan İçerikleri",
+    "billingProcessing": "İşleniyor...",
+    "billingConfirmUpgradeButton": "Yükseltmeyi Onayla",
+    "billingConfirmDowngradeButton": "Düşürmeyi Onayla",
+    "billingLimitViolationWarning": "Kullanım Yeni Plan Sınırlarını Aşıyor",
+    "billingLimitViolationDescription": "Mevcut kullanımınız bu planın sınırlarını aşıyor. Düzeltmelerden sonra, yeni sınırlar içinde kalana kadar tüm işlemler devre dışı bırakılacak. Lütfen şu anda limitlerin üzerinde olan özellikleri inceleyin. İhlal edilen sınırlar:",
+    "billingFeatureLossWarning": "Özellik Kullanılabilirlik Bildirimi",
+    "billingFeatureLossDescription": "Plan düşürüldüğünde, yeni planda mevcut olmayan özellikler otomatik olarak devre dışı bırakılacaktır. Bazı ayarlar ve yapılar kaybolabilir. Hangi özelliklerin artık mevcut olmayacağını anlamak için fiyat tablosunu inceleyiniz.",
+    "billingUsageExceedsLimit": "Mevcut kullanım ({current}) limitleri ({limit}) aşıyor",
    "signUpTerms": {
        "IAgreeToThe": "Kabul ediyorum",
        "termsOfService": "hizmet şartları",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "Sağlıklı Aralık",
    "timeoutSeconds": "Zaman Aşımı (saniye)",
    "timeIsInSeconds": "Zaman saniye cinsindendir",
+    "requireDeviceApproval": "Cihaz Onaylarını Gerektir",
+    "requireDeviceApprovalDescription": "Bu role sahip kullanıcıların yeni cihazlarının bağlanabilmesi ve kaynaklara erişebilmesi için bir yönetici tarafından onaylanması gerekiyor.",
    "retryAttempts": "Tekrar Deneme Girişimleri",
    "expectedResponseCodes": "Beklenen Yanıt Kodları",
    "expectedResponseCodesDescription": "Sağlıklı durumu gösteren HTTP durum kodu. Boş bırakılırsa, 200-300 arası sağlıklı kabul edilir.",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "Hiçbir dahili kaynak bulunamadı.",
    "resourcesTableDestination": "Hedef",
    "resourcesTableAlias": "Takma Ad",
+    "resourcesTableAliasAddress": "Alias Adresi",
+    "resourcesTableAliasAddressInfo": "Bu adres, kuruluşun yardımcı ağ alt bantının bir parçasıdır. Alias kayıtlarını çözümlemek için dahili DNS çözümlemesi kullanılır.",
    "resourcesTableClients": "İstemciler",
    "resourcesTableAndOnlyAccessibleInternally": "veyalnızca bir istemci ile bağlandığında dahili olarak erişilebilir.",
    "resourcesTableNoTargets": "Hedef yok",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "Standart girişe geri dön",
    "orgAuthNoAccount": "Hesabınız yok mu?",
    "subscriptionRequiredToUse": "Bu özelliği kullanmak için abonelik gerekmektedir.",
+    "mustUpgradeToUse": "Bu özelliği kullanmak için aboneliğinizi yükseltmelisiniz.",
+    "subscriptionRequiredTierToUse": "Bu özellik <tierLink>{tier}</tierLink> veya daha üstünü gerektirir.",
+    "upgradeToTierToUse": "Bu özelliği kullanmak için <tierLink>{tier}</tierLink> veya daha üst bir seviyeye yükseltin.",
+    "subscriptionTierTier1": "Ana Sayfa",
+    "subscriptionTierTier2": "Takım",
+    "subscriptionTierTier3": "İşletme",
+    "subscriptionTierEnterprise": "Kurumsal",
    "idpDisabled": "Kimlik sağlayıcılar devre dışı bırakılmıştır.",
    "orgAuthPageDisabled": "Kuruluş kimlik doğrulama sayfası devre dışı bırakılmıştır.",
    "domainRestartedDescription": "Alan doğrulaması başarıyla yeniden başlatıldı",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "Bir lisans alın",
+        "description": "Bir plan seçin ve Pangolin'i nasıl kullanmayı planladığınızı anlatın.",
+        "chooseTier": "Planınızı seçin",
+        "viewPricingLink": "Fiyatları, özellikleri ve limitleri görüntüleyin",
+        "tiers": {
+            "starter": {
+                "title": "Başlangıç",
+                "description": "Kurumsal özellikler, 25 kullanıcı, 25 site ve topluluk desteği."
+            },
+            "scale": {
+                "title": "Ölçek",
+                "description": "Kurumsal özellikler, 50 kullanıcı, 50 site ve öncelikli destek."
+            }
+        },
+        "personalUseOnly": "Yalnızca kişisel kullanım (ücretsiz lisans — ödeme yapılmaz)",
+        "buttons": {
+            "continueToCheckout": "Ödemeye Devam Et"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "Ödeme Hatası",
+                "description": "Ödeme işlemi başlatılamadı. Lütfen tekrar deneyin."
+            }
+        }
+    },
    "priority": "Öncelik",
    "priorityDescription": "Daha yüksek öncelikli rotalar önce değerlendirilir. Öncelik = 100, otomatik sıralama anlamına gelir (sistem karar verir). Manuel öncelik uygulamak için başka bir numara kullanın.",
    "instanceName": "Örnek İsmi",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
    "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
    "licenseRequiredToUse": "Bu özelliği kullanmak için bir kurumsal lisans gereklidir.",
+    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Kurumsal Sürüm</enterpriseEditionLink> gereklidir.",
    "certResolver": "Sertifika Çözücü",
    "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
    "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "Kod 9 karakter olmalı (ör. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Geçersiz veya süresi dolmuş kod",
    "deviceCodeVerifyFailed": "Cihaz kodu doğrulanamadı",
+    "deviceCodeValidating": "Cihaz kodu doğrulanıyor...",
+    "deviceCodeVerifying": "Cihaz yetkilendirme doğrulanıyor...",
    "signedInAs": "Olarak giriş yapıldı",
    "deviceCodeEnterPrompt": "Cihazda gösterilen kodu girin",
    "continue": "Devam Et",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "Hesabınızın erişim hakkına sahip olduğu tüm organizasyonlara erişim",
    "deviceAuthorize": "{uygulamaAdi} yetkilendir",
    "deviceConnected": "Cihaz Bağlandı!",
-    "deviceAuthorizedMessage": "Cihazınız, hesabınıza erişim izni almıştır.",
+    "deviceAuthorizedMessage": "Cihaz hesabınıza erişim yetkisine sahiptir. Lütfen istemci uygulamasına geri dönün.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Cihazları Görüntüle",
    "viewDevicesDescription": "Bağlantılı cihazlarınızı yönetin",
@@ -2306,6 +2418,7 @@
    "identifier": "Tanımlayıcı",
    "deviceLoginUseDifferentAccount": "Siz değil misiniz? Farklı bir hesap kullanın.",
    "deviceLoginDeviceRequestingAccessToAccount": "Bir cihaz bu hesaba erişim talep ediyor.",
+    "loginSelectAuthenticationMethod": "Devam etmek için bir kimlik doğrulama yöntemi seçin.",
    "noData": "Veri Yok",
    "machineClients": "Makine İstemcileri",
    "install": "Yükle",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "Servis Geçici Olarak Kullanılamıyor",
    "maintenanceScreenMessage": "Şu anda teknik zorluklar yaşıyoruz. Lütfen yakında tekrar kontrol edin.",
    "maintenanceScreenEstimatedCompletion": "Tahmini Tamamlama:",
-    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir"
+    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir",
+    "available": "Mevcut",
+    "archived": "Arşivlenmiş",
+    "noArchivedDevices": "Arşivlenmiş cihaz bulunamadı",
+    "deviceArchived": "Cihaz arşivlendi",
+    "deviceArchivedDescription": "Cihaz başarıyla arşivlendi.",
+    "errorArchivingDevice": "Cihaz arşivleme hatası",
+    "failedToArchiveDevice": "Cihaz arşivlenemedi",
+    "deviceQuestionArchive": "Bu cihazı arşivlemek istediğinizden emin misiniz?",
+    "deviceMessageArchive": "Cihaz arşivlenecek ve aktif cihazlar listenizden kaldırılacak.",
+    "deviceArchiveConfirm": "Cihaz Arşivle",
+    "archiveDevice": "Cihaz Arşivle",
+    "archive": "Arşivle",
+    "deviceUnarchived": "Cihaz arşivden çıkarıldı",
+    "deviceUnarchivedDescription": "Cihaz başarıyla arşivden çıkarıldı.",
+    "errorUnarchivingDevice": "Cihaz arşivden çıkartılamadı",
+    "failedToUnarchiveDevice": "Cihaz arşivden çıkarılamadı",
+    "unarchive": "Arşivden Çıkart",
+    "archiveClient": "İstemci Arşivle",
+    "archiveClientQuestion": "Bu istemciyi arşivlemek istediğinizden emin misiniz?",
+    "archiveClientMessage": "İstemci arşivlenecek ve aktif istemciler listenizden çıkarılacak.",
+    "archiveClientConfirm": "İstemci Arşivle",
+    "blockClient": "İstemci Engelle",
+    "blockClientQuestion": "Bu istemciyi engellemek istediğinizden emin misiniz?",
+    "blockClientMessage": "Cihaz şu anda bağlıysa bağlantısı kesilecek. Cihazı daha sonra engelini kaldırabilirsiniz.",
+    "blockClientConfirm": "İstemci Engelle",
+    "active": "Aktif",
+    "usernameOrEmail": "Kullanıcı adı veya E-posta",
+    "selectYourOrganization": "Kuruluşunuzu seçin",
+    "signInTo": "Giriş yapın",
+    "signInWithPassword": "Şifre ile Devam Et",
+    "noAuthMethodsAvailable": "Bu kuruluş için kullanılabilir kimlik doğrulama yöntemleri yok.",
+    "enterPassword": "Şifrenizi girin",
+    "enterMfaCode": "Authenticator uygulamanızdan kodu girin",
+    "securityKeyRequired": "Giriş yapmak için güvenlik anahtarınızı kullanın.",
+    "needToUseAnotherAccount": "Farklı bir hesap kullanmanız mı gerekiyor?",
+    "loginLegalDisclaimer": "Aşağıdaki butonlara tıklayarak, <termsOfService>Hizmet Şartları</termsOfService> ve <privacyPolicy>Gizlilik Politikası</privacyPolicy> metinlerini okuduğunuzu ve anladığınızı kabul etmektesiniz.",
+    "termsOfService": "Hizmet Şartları",
+    "privacyPolicy": "Gizlilik Politikası",
+    "userNotFoundWithUsername": "Bu kullanıcı adıyla eşleşen kullanıcı bulunamadı.",
+    "verify": "Doğrula",
+    "signIn": "Giriş Yap",
+    "forgotPassword": "Şifreni mi unuttun?",
+    "orgSignInTip": "Daha önce giriş yaptıysanız, yukarıda kullanıcı adınızı veya e-posta adresinizi girerek kuruluşunuzun kimlik sağlayıcısıyla kimlik doğrulaması yapabilirsiniz. Daha kolay!",
+    "continueAnyway": "Yine de devam et",
+    "dontShowAgain": "Tekrar gösterme",
+    "orgSignInNotice": "Biliyor muydunuz?",
+    "signupOrgNotice": "Giriş yapmaya mı çalışıyorsunuz?",
+    "signupOrgTip": "Kuruluşunuzun kimlik sağlayıcısı aracılığıyla giriş yapmaya mı çalışıyorsunuz?",
+    "signupOrgLink": "Bunun yerine kuruluşunuzla giriş yapın veya kaydolun",
+    "verifyEmailLogInWithDifferentAccount": "Farklı Bir Hesap Kullan",
+    "logIn": "Giriş Yap",
+    "deviceInformation": "Cihaz Bilgisi",
+    "deviceInformationDescription": "Cihaz ve temsilci hakkında bilgi",
+    "deviceSecurity": "Cihaz Güvenliği",
+    "deviceSecurityDescription": "Cihaz güvenliği durumu bilgisi",
+    "platform": "Platform",
+    "macosVersion": "macOS Sürümü",
+    "windowsVersion": "Windows Sürümü",
+    "iosVersion": "iOS Sürümü",
+    "androidVersion": "Android Sürümü",
+    "osVersion": "İşletim Sistemi Sürümü",
+    "kernelVersion": "Çekirdek Sürümü",
+    "deviceModel": "Cihaz Modeli",
+    "serialNumber": "Seri Numarası",
+    "hostname": "Ana Makine Adı",
+    "firstSeen": "İlk Görüldü",
+    "lastSeen": "Son Görüldü",
+    "biometricsEnabled": "Biyometri Etkin",
+    "diskEncrypted": "Disk Şifrelenmiş",
+    "firewallEnabled": "Güvenlik Duvarı Etkin",
+    "autoUpdatesEnabled": "Otomatik Güncellemeler Etkin",
+    "tpmAvailable": "TPM Mevcut",
+    "windowsAntivirusEnabled": "Antivirüs Etkinleştirildi",
+    "macosSipEnabled": "Sistem Bütünlüğü Koruması (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Güvenlik Duvarı Gizlilik Modu",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Cihaz bilgilerini ve ayarlarını görüntüleyin",
+    "devicePendingApprovalDescription": "Bu cihaz onay bekliyor",
+    "deviceBlockedDescription": "Bu cihaz şu anda engellidir. Engeli kaldırılmadığı sürece hiçbir kaynağa bağlanamayacaktır.",
+    "unblockClient": "İstemci Engeli Kaldır",
+    "unblockClientDescription": "Cihazın engeli kaldırıldı",
+    "unarchiveClient": "İstemci Arşivini Kaldır",
+    "unarchiveClientDescription": "Cihaz arşivden çıkarıldı",
+    "block": "Engelle",
+    "unblock": "Engelini Kaldır",
+    "deviceActions": "Cihaz İşlemleri",
+    "deviceActionsDescription": "Cihaz durumu ve erişimini yönetin",
+    "devicePendingApprovalBannerDescription": "Bu cihaz onay bekliyor. Onaylanana kadar kaynaklara bağlanamayacak.",
+    "connected": "Bağlandı",
+    "disconnected": "Bağlantı Kesildi",
+    "approvalsEmptyStateTitle": "Cihaz Onayları Etkin Değil",
+    "approvalsEmptyStateDescription": "Kullanıcıların yeni cihazlara bağlanabilmeleri için yönetici onayı gerektiren rol cihaz onaylarını etkinleştirin.",
+    "approvalsEmptyStateStep1Title": "Rollere Git",
+    "approvalsEmptyStateStep1Description": "Cihaz onaylarını yapılandırmak için kuruluşunuzun rol ayarlarına gidin.",
+    "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
+    "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
+    "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
+    "approvalsEmptyStateButtonText": "Rolleri Yönet"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -18,6 +18,8 @@
    "componentsMember": "您属于{count, plural, =0 {没有组织} one {一个组织} other {# 个组织}}。",
    "componentsInvalidKey": "检测到无效或过期的许可证密钥。按照许可证条款操作以继续使用所有功能。",
    "dismiss": "忽略",
+    "subscriptionViolationMessage": "您的当前计划超出了您的限制。通过移除站点、用户或其他资源以保持在您的计划范围内来纠正问题。",
+    "subscriptionViolationViewBilling": "查看计费",
    "componentsLicenseViolation": "许可证超限：该服务器使用了 {usedSites} 个站点，已超过授权的 {maxSites} 个。请遵守许可证条款以继续使用全部功能。",
    "componentsSupporterMessage": "感谢您的支持！您现在是 Pangolin 的 {tier} 用户。",
    "inviteErrorNotValid": "很抱歉，但看起来你试图访问的邀请尚未被接受或不再有效。",
@@ -56,6 +58,9 @@
    "sitesBannerTitle": "连接任何网络",
    "sitesBannerDescription": "站点是连接到远程网络的链接，允许Pangolin为用户提供资源访问，无论是公共还是私人。可以在任何可以运行二进制文件或容器的地方安装站点网络连接器（Newt）以建立连接。",
    "sitesBannerButtonText": "安装站点",
+    "approvalsBannerTitle": "批准或拒绝设备访问",
+    "approvalsBannerDescription": "审核、批准或拒绝用户的设备访问请求。 当需要设备批准时，用户必须先获得管理员批准，然后他们的设备才能连接到您的组织资源。",
+    "approvalsBannerButtonText": "了解更多",
    "siteCreate": "创建站点",
    "siteCreateDescription2": "按照下面的步骤创建和连接一个新站点",
    "siteCreateDescription": "创建一个新站点开始连接资源",
@@ -257,6 +262,8 @@
    "accessRolesSearch": "搜索角色...",
    "accessRolesAdd": "添加角色",
    "accessRoleDelete": "删除角色",
+    "accessApprovalsManage": "管理批准",
+    "accessApprovalsDescription": "查看和管理待审批的组织访问权限",
    "description": "描述",
    "inviteTitle": "打开邀请",
    "inviteDescription": "管理其他用户加入机构的邀请",
@@ -450,6 +457,18 @@
    "selectDuration": "选择持续时间",
    "selectResource": "选择资源",
    "filterByResource": "按资源过滤",
+    "selectApprovalState": "选择审批状态",
+    "filterByApprovalState": "按批准状态过滤",
+    "approvalListEmpty": "无批准",
+    "approvalState": "审批状态",
+    "approve": "批准",
+    "approved": "已批准",
+    "denied": "被拒绝",
+    "deniedApproval": "拒绝批准",
+    "all": "所有",
+    "deny": "拒绝",
+    "viewDetails": "查看详情",
+    "requestingNewDeviceApproval": "请求了一个新设备",
    "resetFilters": "重置过滤器",
    "totalBlocked": "被Pangolin阻止的请求",
    "totalRequests": "总请求",
@@ -729,16 +748,28 @@
    "countries": "国家",
    "accessRoleCreate": "创建角色",
    "accessRoleCreateDescription": "创建一个新角色来分组用户并管理他们的权限。",
+    "accessRoleEdit": "编辑角色",
+    "accessRoleEditDescription": "编辑角色信息。",
    "accessRoleCreateSubmit": "创建角色",
    "accessRoleCreated": "角色已创建",
    "accessRoleCreatedDescription": "角色已成功创建。",
    "accessRoleErrorCreate": "创建角色失败",
    "accessRoleErrorCreateDescription": "创建角色时出错。",
+    "accessRoleUpdateSubmit": "更新角色",
+    "accessRoleUpdated": "角色已更新",
+    "accessRoleUpdatedDescription": "角色已成功更新。",
+    "accessApprovalUpdated": "审批已处理",
+    "accessApprovalApprovedDescription": "将审批请求决定设置为已批准。",
+    "accessApprovalDeniedDescription": "设置审批请求决定被拒绝。",
+    "accessRoleErrorUpdate": "更新角色失败",
+    "accessRoleErrorUpdateDescription": "更新角色时出错。",
+    "accessApprovalErrorUpdate": "处理审核失败",
+    "accessApprovalErrorUpdateDescription": "处理批准时出错。",
    "accessRoleErrorNewRequired": "需要新角色",
    "accessRoleErrorRemove": "删除角色失败",
    "accessRoleErrorRemoveDescription": "删除角色时出错。",
    "accessRoleName": "角色名称",
-    "accessRoleQuestionRemove": "您即将删除 {name} 角色。 此操作无法撤销。",
+    "accessRoleQuestionRemove": "您即将删除 `{name}` 角色。此操作无法撤销。",
    "accessRoleRemove": "删除角色",
    "accessRoleRemoveDescription": "从组织中删除角色",
    "accessRoleRemoveSubmit": "删除角色",
@@ -960,7 +991,7 @@
    "passwordResetSmtpRequired": "请联系您的管理员",
    "passwordResetSmtpRequiredDescription": "需要密码重置密码。请联系您的管理员寻求帮助。",
    "passwordBack": "回到密码",
-    "loginBack": "返回登录",
+    "loginBack": "返回主登录页面",
    "signup": "注册",
    "loginStart": "登录以开始",
    "idpOidcTokenValidating": "正在验证 OIDC 令牌",
@@ -1118,6 +1149,10 @@
    "actionUpdateIdpOrg": "更新 IDP组织",
    "actionCreateClient": "创建客户端",
    "actionDeleteClient": "删除客户端",
+    "actionArchiveClient": "归档客户端",
+    "actionUnarchiveClient": "取消归档客户端",
+    "actionBlockClient": "屏蔽客户端",
+    "actionUnblockClient": "解除屏蔽客户端",
    "actionUpdateClient": "更新客户端",
    "actionListClients": "列出客户端",
    "actionGetClient": "获取客户端",
@@ -1134,14 +1169,14 @@
    "searchProgress": "搜索中...",
    "create": "创建",
    "orgs": "组织",
-    "loginError": "登录时出错",
-    "loginRequiredForDevice": "需要登录才能验证您的设备。",
+    "loginError": "发生意外错误。请重试。",
+    "loginRequiredForDevice": "您的设备需要登录。",
    "passwordForgot": "忘记密码？",
    "otpAuth": "两步验证",
    "otpAuthDescription": "从您的身份验证程序中输入代码或您的单次备份代码。",
    "otpAuthSubmit": "提交代码",
    "idpContinue": "或者继续",
-    "otpAuthBack": "返回登录",
+    "otpAuthBack": "回到密码",
    "navbar": "导航菜单",
    "navbarDescription": "应用程序的主导航菜单",
    "navbarDocsLink": "文件",
@@ -1189,6 +1224,7 @@
    "sidebarOverview": "概览",
    "sidebarHome": "首页",
    "sidebarSites": "站点",
+    "sidebarApprovals": "审批请求",
    "sidebarResources": "资源",
    "sidebarProxyResources": "公开的",
    "sidebarClientResources": "非公开的",
@@ -1205,7 +1241,7 @@
    "sidebarIdentityProviders": "身份提供商",
    "sidebarLicense": "证书",
    "sidebarClients": "客户端",
-    "sidebarUserDevices": "用户",
+    "sidebarUserDevices": "用户设备",
    "sidebarMachineClients": "机",
    "sidebarDomains": "域",
    "sidebarGeneral": "管理",
@@ -1277,6 +1313,7 @@
    "setupErrorCreateAdmin": "创建服务器管理员账户时发生错误。",
    "certificateStatus": "证书状态",
    "loading": "加载中",
+    "loadingAnalytics": "加载分析",
    "restart": "重启",
    "domains": "域",
    "domainsDescription": "创建和管理组织中可用的域",
@@ -1304,6 +1341,7 @@
    "refreshError": "刷新数据失败",
    "verified": "已验证",
    "pending": "待定",
+    "pendingApproval": "等待批准",
    "sidebarBilling": "计费",
    "billing": "计费",
    "orgBillingDescription": "管理账单信息和订阅",
@@ -1368,10 +1406,10 @@
    "billingUsageLimitsOverview": "使用限制概览",
    "billingMonitorUsage": "监控您的使用情况以对比已配置的限制。如需提高限制请联系我们 support@pangolin.net。",
    "billingDataUsage": "数据使用情况",
-    "billingOnlineTime": "站点在线时间",
-    "billingUsers": "活跃用户",
-    "billingDomains": "活跃域",
-    "billingRemoteExitNodes": "活跃自托管节点",
+    "billingSites": "站点",
+    "billingUsers": "用户",
+    "billingDomains": "域",
+    "billingRemoteExitNodes": "远程节点",
    "billingNoLimitConfigured": "未配置限制",
    "billingEstimatedPeriod": "估计结算周期",
    "billingIncludedUsage": "包含的使用量",
@@ -1396,10 +1434,18 @@
    "billingFailedToGetPortalUrl": "无法获取门户网址",
    "billingPortalError": "门户错误",
    "billingDataUsageInfo": "当连接到云端时，您将为通过安全隧道传输的所有数据收取费用。 这包括您所有站点的进出流量。 当您达到上限时，您的站点将断开连接，直到您升级计划或减少使用。使用节点时不收取数据。",
-    "billingOnlineTimeInfo": "您要根据您的网站连接到云端的时间长短收取费用。 例如，44,640分钟等于一个24/7全月运行的网站。 当您达到上限时，您的站点将断开连接，直到您升级计划或减少使用。使用节点时不收取费用。",
-    "billingUsersInfo": "您为组织中的每个用户收取费用。每日计费是根据您组织中活跃用户帐户的数量计算的。",
-    "billingDomainInfo": "您在组织中的每个域都要收取费用。每日计费是根据您组织中的活动域帐户数计算的。",
-    "billingRemoteExitNodesInfo": "您为组织中的每个管理节点收取费用。计费是每日根据您组织中活跃的管理节点数计算的。",
+    "billingSInfo": "您可以使用多少站点",
+    "billingUsersInfo": "您可以使用多少用户",
+    "billingDomainInfo": "您可以使用多少域",
+    "billingRemoteExitNodesInfo": "您可以使用多少远程节点",
+    "billingLicenseKeys": "许可证密钥",
+    "billingLicenseKeysDescription": "管理您的许可证密钥订阅",
+    "billingLicenseSubscription": "许可订阅",
+    "billingInactive": "未激活",
+    "billingLicenseItem": "许可证项目",
+    "billingQuantity": "数量",
+    "billingTotal": "总计",
+    "billingModifyLicenses": "修改许可订阅",
    "domainNotFound": "域未找到",
    "domainNotFoundDescription": "此资源已禁用，因为该域不再在我们的系统中存在。请为此资源设置一个新域。",
    "failed": "失败",
@@ -1420,7 +1466,7 @@
    "securityKeyRemoveSuccess": "安全密钥删除成功",
    "securityKeyRemoveError": "删除安全密钥失败",
    "securityKeyLoadError": "加载安全密钥失败",
-    "securityKeyLogin": "使用安全密钥继续",
+    "securityKeyLogin": "使用安全密钥",
    "securityKeyAuthError": "使用安全密钥认证失败",
    "securityKeyRecommendation": "考虑在其他设备上注册另一个安全密钥，以确保不会被锁定在您的账户之外。",
    "registering": "注册中...",
@@ -1476,6 +1522,32 @@
    "resourcePortRequired": "非 HTTP 资源必须输入端口号",
    "resourcePortNotAllowed": "HTTP 资源不应设置端口号",
    "billingPricingCalculatorLink": "价格计算器",
+    "billingYourPlan": "您的计划",
+    "billingViewOrModifyPlan": "查看或修改您当前的计划",
+    "billingViewPlanDetails": "查看计划详细信息",
+    "billingUsageAndLimits": "用法和限制",
+    "billingViewUsageAndLimits": "查看您的计划限制和当前使用情况",
+    "billingCurrentUsage": "当前使用情况",
+    "billingMaximumLimits": "最大限制",
+    "billingRemoteNodes": "远程节点",
+    "billingUnlimited": "无限制",
+    "billingPaidLicenseKeys": "付费许可证密钥",
+    "billingManageLicenseSubscription": "管理您对付费的自托管许可证密钥的订阅",
+    "billingCurrentKeys": "当前密钥",
+    "billingModifyCurrentPlan": "修改当前计划",
+    "billingConfirmUpgrade": "确认升级",
+    "billingConfirmDowngrade": "确认降级",
+    "billingConfirmUpgradeDescription": "您即将升级您的计划。请检查下面的新限额和定价。",
+    "billingConfirmDowngradeDescription": "您即将降级计划。请检查下面的新限额和定价。",
+    "billingPlanIncludes": "计划包含",
+    "billingProcessing": "正在处理...",
+    "billingConfirmUpgradeButton": "确认升级",
+    "billingConfirmDowngradeButton": "确认降级",
+    "billingLimitViolationWarning": "超出新计划限制",
+    "billingLimitViolationDescription": "您当前的使用量超过了此计划的限制。降级后，所有操作都将被禁用，直到您在新的限制范围内减少使用量。 请查看以下当前超出限制的特性：",
+    "billingFeatureLossWarning": "功能可用通知",
+    "billingFeatureLossDescription": "如果降级，新计划中不可用的功能将被自动禁用。一些设置和配置可能会丢失。 请查看定价矩阵以了解哪些功能将不再可用。",
+    "billingUsageExceedsLimit": "当前使用量 ({current}) 超出限制 ({limit})",
    "signUpTerms": {
        "IAgreeToThe": "我同意",
        "termsOfService": "服务条款",
@@ -1547,6 +1619,8 @@
    "IntervalSeconds": "正常间隔",
    "timeoutSeconds": "超时(秒)",
    "timeIsInSeconds": "时间以秒为单位",
+    "requireDeviceApproval": "需要设备批准",
+    "requireDeviceApprovalDescription": "具有此角色的用户需要管理员批准的新设备才能连接和访问资源。",
    "retryAttempts": "重试次数",
    "expectedResponseCodes": "期望响应代码",
    "expectedResponseCodesDescription": "HTTP 状态码表示健康状态。如留空，200-300 被视为健康。",
@@ -1587,6 +1661,8 @@
    "resourcesTableNoInternalResourcesFound": "未找到内部资源。",
    "resourcesTableDestination": "目标",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "别名地址",
+    "resourcesTableAliasAddressInfo": "此地址是组织实用子网的一部分。它用来使用内部DNS解析来解析别名记录。",
    "resourcesTableClients": "客户端",
    "resourcesTableAndOnlyAccessibleInternally": "且仅在与客户端连接时可内部访问。",
    "resourcesTableNoTargets": "没有目标",
@@ -1876,7 +1952,7 @@
    "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
    "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
    "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
-    "orgAuthSignInToOrg": "登录到一个组织",
+    "orgAuthSignInToOrg": "登录到组织",
    "orgAuthSelectOrgTitle": "组织登录",
    "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
    "orgAuthOrgIdPlaceholder": "您的组织",
@@ -1886,6 +1962,13 @@
    "orgAuthBackToSignIn": "返回标准登录",
    "orgAuthNoAccount": "没有账户？",
    "subscriptionRequiredToUse": "需要订阅才能使用此功能。",
+    "mustUpgradeToUse": "您必须升级您的订阅才能使用此功能。",
+    "subscriptionRequiredTierToUse": "此功能需要 <tierLink>{tier}</tierLink> 或更高级别。",
+    "upgradeToTierToUse": "升级到 <tierLink>{tier}</tierLink> 或更高级别以使用此功能。",
+    "subscriptionTierTier1": "首页",
+    "subscriptionTierTier2": "团队",
+    "subscriptionTierTier3": "业务",
+    "subscriptionTierEnterprise": "企业",
    "idpDisabled": "身份提供者已禁用。",
    "orgAuthPageDisabled": "组织认证页面已禁用。",
    "domainRestartedDescription": "域验证重新启动成功",
@@ -2073,6 +2156,32 @@
            }
        }
    },
+    "newPricingLicenseForm": {
+        "title": "获取许可证",
+        "description": "选择一个计划，告诉我们你计划如何使用 Pangolin。",
+        "chooseTier": "选择您的计划",
+        "viewPricingLink": "查看价格、特征和限制",
+        "tiers": {
+            "starter": {
+                "title": "启动器",
+                "description": "企业特征，25个用户，25个站点和社区支持。"
+            },
+            "scale": {
+                "title": "缩放比例",
+                "description": "企业特征、50个用户、50个站点和优先支持。"
+            }
+        },
+        "personalUseOnly": "仅供个人使用 (免费许可证-无签出)",
+        "buttons": {
+            "continueToCheckout": "继续签出"
+        },
+        "toasts": {
+            "checkoutError": {
+                "title": "签出错误",
+                "description": "无法启动结帐。请重试。"
+            }
+        }
+    },
    "priority": "优先权",
    "priorityDescription": "先评估更高优先级线路。优先级 = 100意味着自动排序(系统决定). 使用另一个数字强制执行手动优先级。",
    "instanceName": "实例名称",
@@ -2172,6 +2281,7 @@
    "actionLogsDescription": "查看此机构执行的操作历史",
    "accessLogsDescription": "查看此机构资源的访问认证请求",
    "licenseRequiredToUse": "需要企业许可证才能使用此功能。",
+    "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。",
    "certResolver": "证书解决器",
    "certResolverDescription": "选择用于此资源的证书解析器。",
    "selectCertResolver": "选择证书解析",
@@ -2232,6 +2342,8 @@
    "deviceCodeInvalidFormat": "代码必须是9个字符(如A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "无效或过期的代码",
    "deviceCodeVerifyFailed": "验证设备代码失败",
+    "deviceCodeValidating": "正在验证设备代码...",
+    "deviceCodeVerifying": "正在验证设备授权...",
    "signedInAs": "登录为",
    "deviceCodeEnterPrompt": "输入设备上显示的代码",
    "continue": "继续",
@@ -2244,7 +2356,7 @@
    "deviceOrganizationsAccess": "访问您的帐户拥有访问权限的所有组织",
    "deviceAuthorize": "授权{applicationName}",
    "deviceConnected": "设备已连接！",
-    "deviceAuthorizedMessage": "设备被授权访问您的帐户。",
+    "deviceAuthorizedMessage": "设备被授权访问您的帐户。请返回客户端应用程序。",
    "pangolinCloud": "邦戈林云",
    "viewDevices": "查看设备",
    "viewDevicesDescription": "管理您已连接的设备",
@@ -2306,6 +2418,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "不是你？使用一个不同的帐户。",
    "deviceLoginDeviceRequestingAccessToAccount": "设备正在请求访问此帐户。",
+    "loginSelectAuthenticationMethod": "选择要继续的身份验证方法。",
    "noData": "无数据",
    "machineClients": "机器客户端",
    "install": "安装",
@@ -2394,5 +2507,105 @@
    "maintenanceScreenTitle": "服务暂时不可用",
    "maintenanceScreenMessage": "我们目前遇到技术问题。 请稍后再回来查看。",
    "maintenanceScreenEstimatedCompletion": "预计完成时间：",
-    "createInternalResourceDialogDestinationRequired": "需要目标地址"
+    "createInternalResourceDialogDestinationRequired": "需要目标地址",
+    "available": "可用",
+    "archived": "已存档",
+    "noArchivedDevices": "未找到存档设备",
+    "deviceArchived": "设备已存档",
+    "deviceArchivedDescription": "设备已成功归档。",
+    "errorArchivingDevice": "错误存档设备",
+    "failedToArchiveDevice": "归档设备失败",
+    "deviceQuestionArchive": "您确定要存档此设备吗？",
+    "deviceMessageArchive": "设备将被存档并从活动设备列表中删除。",
+    "deviceArchiveConfirm": "归档设备",
+    "archiveDevice": "归档设备",
+    "archive": "存档",
+    "deviceUnarchived": "设备未存档",
+    "deviceUnarchivedDescription": "设备已成功解除归档。",
+    "errorUnarchivingDevice": "卸载设备时出错",
+    "failedToUnarchiveDevice": "取消归档设备失败",
+    "unarchive": "取消存档",
+    "archiveClient": "归档客户端",
+    "archiveClientQuestion": "您确定要存档此客户端吗？",
+    "archiveClientMessage": "客户端将被存档并从您活跃的客户端列表中删除。",
+    "archiveClientConfirm": "归档客户端",
+    "blockClient": "屏蔽客户端",
+    "blockClientQuestion": "您确定要屏蔽此客户端？",
+    "blockClientMessage": "如果当前连接，设备将被迫断开连接。您可以稍后取消屏蔽设备。",
+    "blockClientConfirm": "屏蔽客户端",
+    "active": "已启用",
+    "usernameOrEmail": "用户名或电子邮件",
+    "selectYourOrganization": "选择您的组织",
+    "signInTo": "登录到",
+    "signInWithPassword": "使用密码继续",
+    "noAuthMethodsAvailable": "该组织没有可用的身份验证方法。",
+    "enterPassword": "输入您的密码",
+    "enterMfaCode": "从您的身份验证程序中输入代码",
+    "securityKeyRequired": "请使用您的安全密钥登录。",
+    "needToUseAnotherAccount": "需要使用不同的帐户？",
+    "loginLegalDisclaimer": "点击下面的按钮，您确认您已经阅读了，理解， 并同意 <termsOfService>服务条款</termsOfService> 和 <privacyPolicy>隐私政策</privacyPolicy>。",
+    "termsOfService": "服务条款",
+    "privacyPolicy": "隐私政策",
+    "userNotFoundWithUsername": "找不到该用户名。",
+    "verify": "验证",
+    "signIn": "登录",
+    "forgotPassword": "忘记密码？",
+    "orgSignInTip": "如果您以前已经登录，您可以在上面输入您的用户名或电子邮件来验证您的组织身份提供者。这很容易！",
+    "continueAnyway": "仍然继续",
+    "dontShowAgain": "不再显示",
+    "orgSignInNotice": "您知道吗？",
+    "signupOrgNotice": "试图登录？",
+    "signupOrgTip": "您是否试图通过您的组织的身份提供者登录？",
+    "signupOrgLink": "使用您的组织登录或注册",
+    "verifyEmailLogInWithDifferentAccount": "使用不同的帐户",
+    "logIn": "登录",
+    "deviceInformation": "设备信息",
+    "deviceInformationDescription": "关于设备和代理的信息",
+    "deviceSecurity": "设备安全",
+    "deviceSecurityDescription": "设备安全态势信息",
+    "platform": "平台",
+    "macosVersion": "macOS 版本",
+    "windowsVersion": "Windows 版本",
+    "iosVersion": "iOS 版本",
+    "androidVersion": "Android 版本",
+    "osVersion": "操作系统版本",
+    "kernelVersion": "内核版本",
+    "deviceModel": "设备模型",
+    "serialNumber": "序列号",
+    "hostname": "Hostname",
+    "firstSeen": "第一次查看",
+    "lastSeen": "上次查看时间",
+    "biometricsEnabled": "生物计已启用",
+    "diskEncrypted": "磁盘加密",
+    "firewallEnabled": "防火墙已启用",
+    "autoUpdatesEnabled": "启用自动更新",
+    "tpmAvailable": "TPM 可用",
+    "windowsAntivirusEnabled": "抗病毒已启用",
+    "macosSipEnabled": "系统完整性保护 (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "防火墙隐形模式",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "查看设备信息和设置",
+    "devicePendingApprovalDescription": "此设备正在等待批准",
+    "deviceBlockedDescription": "此设备目前已被屏蔽。除非解除屏蔽，否则无法连接到任何资源。",
+    "unblockClient": "解除屏蔽客户端",
+    "unblockClientDescription": "设备已解除阻止",
+    "unarchiveClient": "取消归档客户端",
+    "unarchiveClientDescription": "设备已被取消存档",
+    "block": "封禁",
+    "unblock": "取消屏蔽",
+    "deviceActions": "设备操作",
+    "deviceActionsDescription": "管理设备状态和访问权限",
+    "devicePendingApprovalBannerDescription": "此设备正在等待批准。在批准之前，它将无法连接到资源。",
+    "connected": "已连接",
+    "disconnected": "断开连接",
+    "approvalsEmptyStateTitle": "设备批准未启用",
+    "approvalsEmptyStateDescription": "在用户连接新设备之前，允许设备批准角色，需要管理员批准。",
+    "approvalsEmptyStateStep1Title": "转到角色",
+    "approvalsEmptyStateStep1Description": "导航到您组织的角色设置来配置设备批准。",
+    "approvalsEmptyStateStep2Title": "启用设备批准",
+    "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
+    "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
+    "approvalsEmptyStateButtonText": "管理角色"
 }
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
    "version": "0.0.0",
    "private": true,
    "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
    "homepage": "https://github.com/fosrl/pangolin",
    "repository": {
        "type": "git",
@@ -12,30 +12,32 @@
    "license": "SEE LICENSE IN LICENSE AND README.md",
    "scripts": {
        "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
+        "dev:check": "npx tsc --noEmit && npm run format:check",
+        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:generate && npm run db:sqlite:push",
        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
-        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
+        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
        "db:clear-migrations": "rm -rf server/migrations",
        "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
        "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
        "set:enterprise": "echo 'export const build = \"enterprise\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
-        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
-        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
-        "next:build": "next build",
-        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
-        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts && cp drizzle.sqlite.config.ts drizzle.config.ts && cp server/setup/migrationsSqlite.ts server/setup/migrations.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts && cp drizzle.pg.config.ts drizzle.config.ts && cp server/setup/migrationsPg.ts server/setup/migrations.ts",
+        "build:next": "next build",
+        "build": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrations.ts -o dist/migrations.mjs",
        "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
        "email": "email dev --dir server/emails/templates --port 3005",
        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs",
+        "format:check": "prettier --check .",
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.2.0",
-        "@aws-sdk/client-s3": "3.955.0",
-        "@faker-js/faker": "10.1.0",
+        "@asteasolutions/zod-to-openapi": "8.4.0",
+        "@aws-sdk/client-s3": "3.987.0",
+        "@faker-js/faker": "10.2.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
        "@monaco-editor/react": "4.7.0",
@@ -75,9 +77,7 @@
        "class-variance-authority": "0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
-        "cookie": "1.1.1",
        "cookie-parser": "1.4.7",
-        "cookies": "0.9.1",
        "cors": "2.8.5",
        "crypto-js": "4.2.0",
        "d3": "7.9.0",
@@ -90,9 +90,8 @@
        "glob": "13.0.0",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
-        "i": "0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.2",
+        "ioredis": "5.9.2",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
@@ -100,30 +99,26 @@
        "maxmind": "5.0.1",
        "moment": "2.30.1",
        "next": "15.5.9",
-        "next-intl": "4.6.1",
+        "next-intl": "4.7.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "node-fetch": "3.3.2",
        "nodemailer": "7.0.11",
-        "npm": "11.7.0",
-        "nprogress": "0.2.0",
        "oslo": "1.2.1",
-        "pg": "8.16.3",
-        "posthog-node": "5.17.4",
+        "pg": "8.17.1",
+        "posthog-node": "5.23.0",
        "qrcode.react": "4.2.0",
        "react": "19.2.3",
        "react-day-picker": "9.13.0",
        "react-dom": "19.2.3",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.68.0",
+        "react-hook-form": "7.71.1",
        "react-icons": "5.5.0",
-        "rebuild": "0.1.2",
        "recharts": "2.15.4",
        "reodotdev": "1.0.0",
-        "resend": "6.6.0",
+        "resend": "6.8.0",
        "semver": "7.7.3",
-        "stripe": "20.1.0",
+        "stripe": "20.2.0",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.4.0",
        "topojson-client": "3.1.0",
@@ -133,10 +128,10 @@
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.3",
+        "ws": "8.19.0",
        "yaml": "2.8.2",
        "yargs": "18.0.0",
-        "zod": "4.2.1",
+        "zod": "4.3.5",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
@@ -170,12 +165,12 @@
        "esbuild": "0.27.2",
        "esbuild-node-externals": "1.20.1",
        "postcss": "8.5.6",
-        "prettier": "3.7.4",
-        "react-email": "5.0.7",
+        "prettier": "3.8.0",
+        "react-email": "5.2.5",
        "tailwindcss": "4.1.18",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
        "typescript": "5.9.3",
-        "typescript-eslint": "8.49.0"
+        "typescript-eslint": "8.53.1"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -78,6 +78,10 @@ export enum ActionsEnum {
    updateSiteResource = "updateSiteResource",
    createClient = "createClient",
    deleteClient = "deleteClient",
+    archiveClient = "archiveClient",
+    unarchiveClient = "unarchiveClient",
+    blockClient = "blockClient",
+    unblockClient = "unblockClient",
    updateClient = "updateClient",
    listClients = "listClients",
    getClient = "getClient",
@@ -125,7 +129,9 @@ export enum ActionsEnum {
    getBlueprint = "getBlueprint",
    applyBlueprint = "applyBlueprint",
    viewLogs = "viewLogs",
-    exportLogs = "exportLogs"
+    exportLogs = "exportLogs",
+    listApprovals = "listApprovals",
+    updateApprovals = "updateApprovals"
 }

 export async function checkUserActionPermission(
--- a/server/db/ios_models.json
+++ b/server/db/ios_models.json
@@ -0,0 +1,150 @@
+{
+  "iPad1,1": "iPad",
+  "iPad2,1": "iPad 2",
+  "iPad2,2": "iPad 2",
+  "iPad2,3": "iPad 2",
+  "iPad2,4": "iPad 2",
+  "iPad3,1": "iPad 3rd Gen",
+  "iPad3,3": "iPad 3rd Gen",
+  "iPad3,2": "iPad 3rd Gen",
+  "iPad3,4": "iPad 4th Gen",
+  "iPad3,5": "iPad 4th Gen",
+  "iPad3,6": "iPad 4th Gen",
+  "iPad6,11": "iPad 9.7 5th Gen",
+  "iPad6,12": "iPad 9.7 5th Gen",
+  "iPad7,5": "iPad 9.7 6th Gen",
+  "iPad7,6": "iPad 9.7 6th Gen",
+  "iPad7,11": "iPad 10.2 7th Gen",
+  "iPad7,12": "iPad 10.2 7th Gen",
+  "iPad11,6": "iPad 10.2 8th Gen",
+  "iPad11,7": "iPad 10.2 8th Gen",
+  "iPad12,1": "iPad 10.2 9th Gen",
+  "iPad12,2": "iPad 10.2 9th Gen",
+  "iPad13,18": "iPad 10.9 10th Gen",
+  "iPad13,19": "iPad 10.9 10th Gen",
+  "iPad4,1": "iPad Air",
+  "iPad4,2": "iPad Air",
+  "iPad4,3": "iPad Air",
+  "iPad5,3": "iPad Air 2",
+  "iPad5,4": "iPad Air 2",
+  "iPad11,3": "iPad Air 3rd Gen",
+  "iPad11,4": "iPad Air 3rd Gen",
+  "iPad13,1": "iPad Air 4th Gen",
+  "iPad13,2": "iPad Air 4th Gen",
+  "iPad13,16": "iPad Air 5th Gen",
+  "iPad13,17": "iPad Air 5th Gen",
+  "iPad14,8": "iPad Air M2 11",
+  "iPad14,9": "iPad Air M2 11",
+  "iPad14,10": "iPad Air M2 13",
+  "iPad14,11": "iPad Air M2 13",
+  "iPad2,5": "iPad mini",
+  "iPad2,6": "iPad mini",
+  "iPad2,7": "iPad mini",
+  "iPad4,4": "iPad mini 2",
+  "iPad4,5": "iPad mini 2",
+  "iPad4,6": "iPad mini 2",
+  "iPad4,7": "iPad mini 3",
+  "iPad4,8": "iPad mini 3",
+  "iPad4,9": "iPad mini 3",
+  "iPad5,1": "iPad mini 4",
+  "iPad5,2": "iPad mini 4",
+  "iPad11,1": "iPad mini 5th Gen",
+  "iPad11,2": "iPad mini 5th Gen",
+  "iPad14,1": "iPad mini 6th Gen",
+  "iPad14,2": "iPad mini 6th Gen",
+  "iPad6,7": "iPad Pro 12.9",
+  "iPad6,8": "iPad Pro 12.9",
+  "iPad6,3": "iPad Pro 9.7",
+  "iPad6,4": "iPad Pro 9.7",
+  "iPad7,3": "iPad Pro 10.5",
+  "iPad7,4": "iPad Pro 10.5",
+  "iPad7,1": "iPad Pro 12.9",
+  "iPad7,2": "iPad Pro 12.9",
+  "iPad8,1": "iPad Pro 11",
+  "iPad8,2": "iPad Pro 11",
+  "iPad8,3": "iPad Pro 11",
+  "iPad8,4": "iPad Pro 11",
+  "iPad8,5": "iPad Pro 12.9",
+  "iPad8,6": "iPad Pro 12.9",
+  "iPad8,7": "iPad Pro 12.9",
+  "iPad8,8": "iPad Pro 12.9",
+  "iPad8,9": "iPad Pro 11",
+  "iPad8,10": "iPad Pro 11",
+  "iPad8,11": "iPad Pro 12.9",
+  "iPad8,12": "iPad Pro 12.9",
+  "iPad13,4": "iPad Pro 11",
+  "iPad13,5": "iPad Pro 11",
+  "iPad13,6": "iPad Pro 11",
+  "iPad13,7": "iPad Pro 11",
+  "iPad13,8": "iPad Pro 12.9",
+  "iPad13,9": "iPad Pro 12.9",
+  "iPad13,10": "iPad Pro 12.9",
+  "iPad13,11": "iPad Pro 12.9",
+  "iPad14,3": "iPad Pro 11",
+  "iPad14,4": "iPad Pro 11",
+  "iPad14,5": "iPad Pro 12.9",
+  "iPad14,6": "iPad Pro 12.9",
+  "iPad16,3": "iPad Pro M4 11",
+  "iPad16,4": "iPad Pro M4 11",
+  "iPad16,5": "iPad Pro M4 13",
+  "iPad16,6": "iPad Pro M4 13",
+  "iPhone1,1": "iPhone",
+  "iPhone1,2": "iPhone 3G",
+  "iPhone2,1": "iPhone 3GS",
+  "iPhone3,1": "iPhone 4",
+  "iPhone3,2": "iPhone 4",
+  "iPhone3,3": "iPhone 4",
+  "iPhone4,1": "iPhone 4S",
+  "iPhone5,1": "iPhone 5",
+  "iPhone5,2": "iPhone 5",
+  "iPhone5,3": "iPhone 5c",
+  "iPhone5,4": "iPhone 5c",
+  "iPhone6,1": "iPhone 5s",
+  "iPhone6,2": "iPhone 5s",
+  "iPhone7,2": "iPhone 6",
+  "iPhone7,1": "iPhone 6 Plus",
+  "iPhone8,1": "iPhone 6s",
+  "iPhone8,2": "iPhone 6s Plus",
+  "iPhone8,4": "iPhone SE",
+  "iPhone9,1": "iPhone 7",
+  "iPhone9,3": "iPhone 7",
+  "iPhone9,2": "iPhone 7 Plus",
+  "iPhone9,4": "iPhone 7 Plus",
+  "iPhone10,1": "iPhone 8",
+  "iPhone10,4": "iPhone 8",
+  "iPhone10,2": "iPhone 8 Plus",
+  "iPhone10,5": "iPhone 8 Plus",
+  "iPhone10,3": "iPhone X",
+  "iPhone10,6": "iPhone X",
+  "iPhone11,2": "iPhone Xs",
+  "iPhone11,6": "iPhone Xs Max",
+  "iPhone11,8": "iPhone XR",
+  "iPhone12,1": "iPhone 11",
+  "iPhone12,3": "iPhone 11 Pro",
+  "iPhone12,5": "iPhone 11 Pro Max",
+  "iPhone12,8": "iPhone SE",
+  "iPhone13,1": "iPhone 12 mini",
+  "iPhone13,2": "iPhone 12",
+  "iPhone13,3": "iPhone 12 Pro",
+  "iPhone13,4": "iPhone 12 Pro Max",
+  "iPhone14,4": "iPhone 13 mini",
+  "iPhone14,5": "iPhone 13",
+  "iPhone14,2": "iPhone 13 Pro",
+  "iPhone14,3": "iPhone 13 Pro Max",
+  "iPhone14,6": "iPhone SE",
+  "iPhone14,7": "iPhone 14",
+  "iPhone14,8": "iPhone 14 Plus",
+  "iPhone15,2": "iPhone 14 Pro",
+  "iPhone15,3": "iPhone 14 Pro Max",
+  "iPhone15,4": "iPhone 15",
+  "iPhone15,5": "iPhone 15 Plus",
+  "iPhone16,1": "iPhone 15 Pro",
+  "iPhone16,2": "iPhone 15 Pro Max",
+  "iPod1,1": "iPod touch Original",
+  "iPod2,1": "iPod touch 2nd",
+  "iPod3,1": "iPod touch 3rd Gen",
+  "iPod4,1": "iPod touch 4th",
+  "iPod5,1": "iPod touch 5th",
+  "iPod7,1": "iPod touch 6th Gen",
+  "iPod9,1": "iPod touch 7th Gen"
+}
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -0,0 +1,201 @@
+{
+  "PowerMac4,4": "eMac",
+  "PowerMac6,4": "eMac",
+  "PowerBook2,1": "iBook",
+  "PowerBook2,2": "iBook",
+  "PowerBook4,1": "iBook",
+  "PowerBook4,2": "iBook",
+  "PowerBook4,3": "iBook",
+  "PowerBook6,3": "iBook",
+  "PowerBook6,5": "iBook",
+  "PowerBook6,7": "iBook",
+  "iMac,1": "iMac",
+  "PowerMac2,1": "iMac",
+  "PowerMac2,2": "iMac",
+  "PowerMac4,1": "iMac",
+  "PowerMac4,2": "iMac",
+  "PowerMac4,5": "iMac",
+  "PowerMac6,1": "iMac",
+  "PowerMac6,3*": "iMac",
+  "PowerMac6,3": "iMac",
+  "PowerMac8,1": "iMac",
+  "PowerMac8,2": "iMac",
+  "PowerMac12,1": "iMac",
+  "iMac4,1": "iMac",
+  "iMac4,2": "iMac",
+  "iMac5,2": "iMac",
+  "iMac5,1": "iMac",
+  "iMac6,1": "iMac",
+  "iMac7,1": "iMac",
+  "iMac8,1": "iMac",
+  "iMac9,1": "iMac",
+  "iMac10,1": "iMac",
+  "iMac11,1": "iMac",
+  "iMac11,2": "iMac",
+  "iMac11,3": "iMac",
+  "iMac12,1": "iMac",
+  "iMac12,2": "iMac",
+  "iMac13,1": "iMac",
+  "iMac13,2": "iMac",
+  "iMac14,1": "iMac",
+  "iMac14,3": "iMac",
+  "iMac14,2": "iMac",
+  "iMac14,4": "iMac",
+  "iMac15,1": "iMac",
+  "iMac16,1": "iMac",
+  "iMac16,2": "iMac",
+  "iMac17,1": "iMac",
+  "iMac18,1": "iMac",
+  "iMac18,2": "iMac",
+  "iMac18,3": "iMac",
+  "iMac19,2": "iMac",
+  "iMac19,1": "iMac",
+  "iMac20,1": "iMac",
+  "iMac20,2": "iMac",
+  "iMac21,2": "iMac",
+  "iMac21,1": "iMac",
+  "iMacPro1,1": "iMac Pro",
+  "PowerMac10,1": "Mac mini",
+  "PowerMac10,2": "Mac mini",
+  "Macmini1,1": "Mac mini",
+  "Macmini2,1": "Mac mini",
+  "Macmini3,1": "Mac mini",
+  "Macmini4,1": "Mac mini",
+  "Macmini5,1": "Mac mini",
+  "Macmini5,2": "Mac mini",
+  "Macmini5,3": "Mac mini",
+  "Macmini6,1": "Mac mini",
+  "Macmini6,2": "Mac mini",
+  "Macmini7,1": "Mac mini",
+  "Macmini8,1": "Mac mini",
+  "ADP3,2": "Mac mini",
+  "Macmini9,1": "Mac mini",
+  "Mac14,3": "Mac mini",
+  "Mac14,12": "Mac mini",
+  "MacPro1,1*": "Mac Pro",
+  "MacPro2,1": "Mac Pro",
+  "MacPro3,1": "Mac Pro",
+  "MacPro4,1": "Mac Pro",
+  "MacPro5,1": "Mac Pro",
+  "MacPro6,1": "Mac Pro",
+  "MacPro7,1": "Mac Pro",
+  "N/A*": "Power Macintosh",
+  "PowerMac1,1": "Power Macintosh",
+  "PowerMac3,1": "Power Macintosh",
+  "PowerMac3,3": "Power Macintosh",
+  "PowerMac3,4": "Power Macintosh",
+  "PowerMac3,5": "Power Macintosh",
+  "PowerMac3,6": "Power Macintosh",
+  "Mac13,1": "Mac Studio",
+  "Mac13,2": "Mac Studio",
+  "MacBook1,1": "MacBook",
+  "MacBook2,1": "MacBook",
+  "MacBook3,1": "MacBook",
+  "MacBook4,1": "MacBook",
+  "MacBook5,1": "MacBook",
+  "MacBook5,2": "MacBook",
+  "MacBook6,1": "MacBook",
+  "MacBook7,1": "MacBook",
+  "MacBook8,1": "MacBook",
+  "MacBook9,1": "MacBook",
+  "MacBook10,1": "MacBook",
+  "MacBookAir1,1": "MacBook Air",
+  "MacBookAir2,1": "MacBook Air",
+  "MacBookAir3,1": "MacBook Air",
+  "MacBookAir3,2": "MacBook Air",
+  "MacBookAir4,1": "MacBook Air",
+  "MacBookAir4,2": "MacBook Air",
+  "MacBookAir5,1": "MacBook Air",
+  "MacBookAir5,2": "MacBook Air",
+  "MacBookAir6,1": "MacBook Air",
+  "MacBookAir6,2": "MacBook Air",
+  "MacBookAir7,1": "MacBook Air",
+  "MacBookAir7,2": "MacBook Air",
+  "MacBookAir8,1": "MacBook Air",
+  "MacBookAir8,2": "MacBook Air",
+  "MacBookAir9,1": "MacBook Air",
+  "MacBookAir10,1": "MacBook Air",
+  "Mac14,2": "MacBook Air",
+  "MacBookPro1,1": "MacBook Pro",
+  "MacBookPro1,2": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
+  "MacBookPro4,1": "MacBook Pro",
+  "MacBookPro5,1": "MacBook Pro",
+  "MacBookPro5,2": "MacBook Pro",
+  "MacBookPro5,5": "MacBook Pro",
+  "MacBookPro5,4": "MacBook Pro",
+  "MacBookPro5,3": "MacBook Pro",
+  "MacBookPro7,1": "MacBook Pro",
+  "MacBookPro6,2": "MacBook Pro",
+  "MacBookPro6,1": "MacBook Pro",
+  "MacBookPro8,1": "MacBook Pro",
+  "MacBookPro8,2": "MacBook Pro",
+  "MacBookPro8,3": "MacBook Pro",
+  "MacBookPro9,2": "MacBook Pro",
+  "MacBookPro9,1": "MacBook Pro",
+  "MacBookPro10,1": "MacBook Pro",
+  "MacBookPro10,2": "MacBook Pro",
+  "MacBookPro11,1": "MacBook Pro",
+  "MacBookPro11,2": "MacBook Pro",
+  "MacBookPro11,3": "MacBook Pro",
+  "MacBookPro12,1": "MacBook Pro",
+  "MacBookPro11,4": "MacBook Pro",
+  "MacBookPro11,5": "MacBook Pro",
+  "MacBookPro13,1": "MacBook Pro",
+  "MacBookPro13,2": "MacBook Pro",
+  "MacBookPro13,3": "MacBook Pro",
+  "MacBookPro14,1": "MacBook Pro",
+  "MacBookPro14,2": "MacBook Pro",
+  "MacBookPro14,3": "MacBook Pro",
+  "MacBookPro15,2": "MacBook Pro",
+  "MacBookPro15,1": "MacBook Pro",
+  "MacBookPro15,3": "MacBook Pro",
+  "MacBookPro15,4": "MacBook Pro",
+  "MacBookPro16,1": "MacBook Pro",
+  "MacBookPro16,3": "MacBook Pro",
+  "MacBookPro16,2": "MacBook Pro",
+  "MacBookPro16,4": "MacBook Pro",
+  "MacBookPro17,1": "MacBook Pro",
+  "MacBookPro18,3": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
+  "MacBookPro18,1": "MacBook Pro",
+  "MacBookPro18,2": "MacBook Pro",
+  "Mac14,7": "MacBook Pro",
+  "Mac14,9": "MacBook Pro",
+  "Mac14,5": "MacBook Pro",
+  "Mac14,10": "MacBook Pro",
+  "Mac14,6": "MacBook Pro",
+  "PowerMac1,2": "Power Macintosh",
+  "PowerMac5,1": "Power Macintosh",
+  "PowerMac7,2": "Power Macintosh",
+  "PowerMac7,3": "Power Macintosh",
+  "PowerMac9,1": "Power Macintosh",
+  "PowerMac11,2": "Power Macintosh",
+  "PowerBook1,1": "PowerBook",
+  "PowerBook3,1": "PowerBook",
+  "PowerBook3,2": "PowerBook",
+  "PowerBook3,3": "PowerBook",
+  "PowerBook3,4": "PowerBook",
+  "PowerBook3,5": "PowerBook",
+  "PowerBook6,1": "PowerBook",
+  "PowerBook5,1": "PowerBook",
+  "PowerBook6,2": "PowerBook",
+  "PowerBook5,2": "PowerBook",
+  "PowerBook5,3": "PowerBook",
+  "PowerBook6,4": "PowerBook",
+  "PowerBook5,4": "PowerBook",
+  "PowerBook5,5": "PowerBook",
+  "PowerBook6,8": "PowerBook",
+  "PowerBook5,6": "PowerBook",
+  "PowerBook5,7": "PowerBook",
+  "PowerBook5,8": "PowerBook",
+  "PowerBook5,9": "PowerBook",
+  "RackMac1,1": "Xserve",
+  "RackMac1,2": "Xserve",
+  "RackMac3,1": "Xserve",
+  "Xserve1,1": "Xserve",
+  "Xserve2,1": "Xserve",
+  "Xserve3,1": "Xserve"
+}
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -16,6 +16,24 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));

+// Load iOS and Mac model mappings
+let iosModelsFile: string;
+let macModelsFile: string;
+if (!dev) {
+    iosModelsFile = join(__DIRNAME, "ios_models.json");
+    macModelsFile = join(__DIRNAME, "mac_models.json");
+} else {
+    iosModelsFile = join("server/db/ios_models.json");
+    macModelsFile = join("server/db/mac_models.json");
+}
+
+const iosModels: Record<string, string> = JSON.parse(
+    readFileSync(iosModelsFile, "utf-8")
+);
+const macModels: Record<string, string> = JSON.parse(
+    readFileSync(macModelsFile, "utf-8")
+);
+
 export async function getUniqueClientName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
@@ -159,3 +177,29 @@ export function generateName(): string {
    // clean out any non-alphanumeric characters except for dashes
    return name.replace(/[^a-z0-9-]/g, "");
 }
+
+export function getMacDeviceName(macIdentifier?: string | null): string | null {
+    if (macIdentifier && macModels[macIdentifier]) {
+        return macModels[macIdentifier];
+    }
+    return null;
+}
+
+export function getIosDeviceName(iosIdentifier?: string | null): string | null {
+    if (iosIdentifier && iosModels[iosIdentifier]) {
+        return iosModels[iosIdentifier];
+    }
+    return null;
+}
+
+export function getUserDeviceName(
+    model: string | null,
+    fallBack: string | null
+): string {
+    return (
+        getMacDeviceName(model) ||
+        getIosDeviceName(model) ||
+        fallBack ||
+        "Unknown Device"
+    );
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -10,7 +10,15 @@ import {
    index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
-import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import {
+    domains,
+    orgs,
+    targets,
+    users,
+    exitNodes,
+    sessions,
+    clients
+} from "./schema";

 export const certificates = pgTable("certificates", {
    certId: serial("certId").primaryKey(),
@@ -74,11 +82,14 @@ export const subscriptions = pgTable("subscriptions", {
    canceledAt: bigint("canceledAt", { mode: "number" }),
    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
    updatedAt: bigint("updatedAt", { mode: "number" }),
-    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" })
+    version: integer("version"),
+    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" }),
+    type: varchar("type", { length: 50 }) // tier1, tier2, tier3, or license
 });

 export const subscriptionItems = pgTable("subscriptionItems", {
    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -86,6 +97,7 @@ export const subscriptionItems = pgTable("subscriptionItems", {
        }),
    planId: varchar("planId", { length: 255 }).notNull(),
    priceId: varchar("priceId", { length: 255 }),
+    featureId: varchar("featureId", { length: 255 }),
    meterId: varchar("meterId", { length: 255 }),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
@@ -128,6 +140,7 @@ export const limits = pgTable("limits", {
        })
        .notNull(),
    value: real("value"),
+    override: boolean("override").default(false),
    description: text("description")
 });

@@ -206,7 +219,7 @@ export const loginPageOrg = pgTable("loginPageOrg", {

 export const loginPageBranding = pgTable("loginPageBranding", {
    loginPageBrandingId: serial("loginPageBrandingId").primaryKey(),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -289,6 +302,33 @@ export const accessAuditLog = pgTable(
    ]
 );

+export const approvals = pgTable("approvals", {
+    approvalId: serial("approvalId").primaryKey(),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // clients reference user devices (in this case)
+    userId: varchar("userId")
+        .references(() => users.userId, {
+            // optionally tied to a user and in this case delete when the user deletes
+            onDelete: "cascade"
+        })
+        .notNull(),
+    decision: varchar("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: varchar("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -365,7 +365,8 @@ export const roles = pgTable("roles", {
        .notNull(),
    isAdmin: boolean("isAdmin"),
    name: varchar("name").notNull(),
-    description: varchar("description")
+    description: varchar("description"),
+    requireDeviceApproval: boolean("requireDeviceApproval").default(false)
 });

 export const roleActions = pgTable("roleActions", {
@@ -591,7 +592,8 @@ export const idp = pgTable("idp", {
    type: varchar("type").notNull(),
    defaultRoleMapping: varchar("defaultRoleMapping"),
    defaultOrgMapping: varchar("defaultOrgMapping"),
-    autoProvision: boolean("autoProvision").notNull().default(false)
+    autoProvision: boolean("autoProvision").notNull().default(false),
+    tags: text("tags")
 });

 export const idpOidcConfig = pgTable("idpOidcConfig", {
@@ -688,7 +690,12 @@ export const clients = pgTable("clients", {
    online: boolean("online").notNull().default(false),
    // endpoint: varchar("endpoint"),
    lastHolePunch: integer("lastHolePunch"),
-    maxConnections: integer("maxConnections")
+    maxConnections: integer("maxConnections"),
+    archived: boolean("archived").notNull().default(false),
+    blocked: boolean("blocked").notNull().default(false),
+    approvalState: varchar("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });

 export const clientSitesAssociationsCache = pgTable(
@@ -712,6 +719,16 @@ export const clientSiteResourcesAssociationsCache = pgTable(
    }
 );

+export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
+    snapshotId: serial("snapshotId").primaryKey(),
+
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }),
+
+    collectedAt: integer("collectedAt").notNull()
+});
+
 export const olms = pgTable("olms", {
    olmId: varchar("id").primaryKey(),
    secretHash: varchar("secretHash").notNull(),
@@ -726,7 +743,118 @@ export const olms = pgTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
-    })
+    }),
+    archived: boolean("archived").notNull().default(false)
+});
+
+export const currentFingerprint = pgTable("currentFingerprint", {
+    fingerprintId: serial("id").primaryKey(),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+    lastCollectedAt: integer("lastCollectedAt").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: varchar("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
+    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
+    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
+    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
+    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
+    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled").notNull().default(false)
+});
+
+export const fingerprintSnapshots = pgTable("fingerprintSnapshots", {
+    snapshotId: serial("id").primaryKey(),
+
+    fingerprintId: integer("fingerprintId").references(
+        () => currentFingerprint.fingerprintId,
+        {
+            onDelete: "set null"
+        }
+    ),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: varchar("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
+    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
+    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
+    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
+    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
+    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled")
+        .notNull()
+        .default(false),
+
+    hash: text("hash").notNull(),
+    collectedAt: integer("collectedAt").notNull()
 });

 export const olmSessions = pgTable("clientSession", {
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,4 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -108,9 +108,17 @@ export async function getUserSessionWithUser(
 */
 export async function getUserOrgRole(userId: string, orgId: string) {
    const userOrgRole = await db
-        .select()
+        .select({
+            userId: userOrgs.userId,
+            orgId: userOrgs.orgId,
+            roleId: userOrgs.roleId,
+            isOwner: userOrgs.isOwner,
+            autoProvisioned: userOrgs.autoProvisioned,
+            roleName: roles.name
+        })
        .from(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .limit(1);

    return userOrgRole.length > 0 ? userOrgRole[0] : null;
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -6,7 +6,7 @@ import {
    sqliteTable,
    text
 } from "drizzle-orm/sqlite-core";
-import { domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -70,7 +70,9 @@ export const subscriptions = sqliteTable("subscriptions", {
    canceledAt: integer("canceledAt"),
    createdAt: integer("createdAt").notNull(),
    updatedAt: integer("updatedAt"),
-    billingCycleAnchor: integer("billingCycleAnchor")
+    version: integer("version"),
+    billingCycleAnchor: integer("billingCycleAnchor"),
+    type: text("type") // tier1, tier2, tier3, or license
 });

 export const subscriptionItems = sqliteTable("subscriptionItems", {
@@ -84,6 +86,7 @@ export const subscriptionItems = sqliteTable("subscriptionItems", {
        }),
    planId: text("planId").notNull(),
    priceId: text("priceId"),
+    featureId: text("featureId"),
    meterId: text("meterId"),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
@@ -126,6 +129,7 @@ export const limits = sqliteTable("limits", {
        })
        .notNull(),
    value: real("value"),
+    override: integer("override", { mode: "boolean" }).default(false),
    description: text("description")
 });

@@ -206,7 +210,7 @@ export const loginPageBranding = sqliteTable("loginPageBranding", {
    loginPageBrandingId: integer("loginPageBrandingId").primaryKey({
        autoIncrement: true
    }),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -289,6 +293,31 @@ export const accessAuditLog = sqliteTable(
    ]
 );

+export const approvals = sqliteTable("approvals", {
+    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // olms reference user devices clients
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    decision: text("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: text("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -255,7 +255,9 @@ export const siteResources = sqliteTable("siteResources", {
    aliasAddress: text("aliasAddress"),
    tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
-    disableIcmp: integer("disableIcmp", { mode: "boolean" }).notNull().default(false)
+    disableIcmp: integer("disableIcmp", { mode: "boolean" })
+        .notNull()
+        .default(false)
 });

 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -383,7 +385,12 @@ export const clients = sqliteTable("clients", {
    type: text("type").notNull(), // "olm"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
    // endpoint: text("endpoint"),
-    lastHolePunch: integer("lastHolePunch")
+    lastHolePunch: integer("lastHolePunch"),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false),
+    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false),
+    approvalState: text("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });

 export const clientSitesAssociationsCache = sqliteTable(
@@ -423,7 +430,160 @@ export const olms = sqliteTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
+    }),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
+});
+
+export const currentFingerprint = sqliteTable("currentFingerprint", {
+    fingerprintId: integer("id").primaryKey({ autoIncrement: true }),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+    lastCollectedAt: integer("lastCollectedAt").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: text("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
+        .notNull()
+        .default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
+        mode: "boolean"
    })
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false)
+});
+
+export const fingerprintSnapshots = sqliteTable("fingerprintSnapshots", {
+    snapshotId: integer("id").primaryKey({ autoIncrement: true }),
+
+    fingerprintId: integer("fingerprintId").references(
+        () => currentFingerprint.fingerprintId,
+        {
+            onDelete: "set null"
+        }
+    ),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: text("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
+        .notNull()
+        .default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    hash: text("hash").notNull(),
+    collectedAt: integer("collectedAt").notNull()
 });

 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
@@ -515,7 +675,10 @@ export const roles = sqliteTable("roles", {
        .notNull(),
    isAdmin: integer("isAdmin", { mode: "boolean" }),
    name: text("name").notNull(),
-    description: text("description")
+    description: text("description"),
+    requireDeviceApproval: integer("requireDeviceApproval", {
+        mode: "boolean"
+    }).default(false)
 });

 export const roleActions = sqliteTable("roleActions", {
@@ -774,7 +937,8 @@ export const idp = sqliteTable("idp", {
        mode: "boolean"
    })
        .notNull()
-        .default(false)
+        .default(false),
+    tags: text("tags")
 });

 // Identity Provider OAuth Configuration
--- a/server/emails/templates/EnterpriseEditionKeyGenerated.tsx
+++ b/server/emails/templates/EnterpriseEditionKeyGenerated.tsx
@@ -0,0 +1,118 @@
+import React from "react";
+import { Body, Head, Html, Preview, Tailwind } from "@react-email/components";
+import { themeColors } from "./lib/theme";
+import {
+    EmailContainer,
+    EmailFooter,
+    EmailGreeting,
+    EmailHeading,
+    EmailInfoSection,
+    EmailLetterHead,
+    EmailSection,
+    EmailSignature,
+    EmailText
+} from "./components/Email";
+import CopyCodeBox from "./components/CopyCodeBox";
+import ButtonLink from "./components/ButtonLink";
+
+type EnterpriseEditionKeyGeneratedProps = {
+    keyValue: string;
+    personalUseOnly: boolean;
+    users: number;
+    sites: number;
+    modifySubscriptionLink?: string;
+};
+
+export const EnterpriseEditionKeyGenerated = ({
+    keyValue,
+    personalUseOnly,
+    users,
+    sites,
+    modifySubscriptionLink
+}: EnterpriseEditionKeyGeneratedProps) => {
+    const previewText = personalUseOnly
+        ? "Your Enterprise Edition key for personal use is ready"
+        : "Thank you for your purchase — your Enterprise Edition key is ready";
+
+    return (
+        <Html>
+            <Head />
+            <Preview>{previewText}</Preview>
+            <Tailwind config={themeColors}>
+                <Body className="font-sans bg-gray-50">
+                    <EmailContainer>
+                        <EmailLetterHead />
+
+                        <EmailGreeting>Hi there,</EmailGreeting>
+
+                        {personalUseOnly ? (
+                            <EmailText>
+                                Your Enterprise Edition license key has been
+                                generated. Qualifying users can use the
+                                Enterprise Edition for free for{" "}
+                                <strong>personal use only</strong>.
+                            </EmailText>
+                        ) : (
+                            <>
+                                <EmailText>
+                                    Thank you for your purchase. Your Enterprise
+                                    Edition license key is ready. Below are the
+                                    terms of your license.
+                                </EmailText>
+                                <EmailInfoSection
+                                    title="License details"
+                                    items={[
+                                        {
+                                            label: "Licensed users",
+                                            value: users
+                                        },
+                                        {
+                                            label: "Licensed sites",
+                                            value: sites
+                                        }
+                                    ]}
+                                />
+                                {modifySubscriptionLink && (
+                                    <EmailSection>
+                                        <ButtonLink
+                                            href={modifySubscriptionLink}
+                                        >
+                                            Modify subscription
+                                        </ButtonLink>
+                                    </EmailSection>
+                                )}
+                            </>
+                        )}
+
+                        <EmailSection>
+                            <EmailText>Your license key:</EmailText>
+                            <CopyCodeBox
+                                text={keyValue}
+                                hint="Copy this key and use it when activating Enterprise Edition on your Pangolin host."
+                            />
+                        </EmailSection>
+
+                        <EmailText>
+                            If you need to purchase additional license keys or
+                            modify your existing license, please reach out to
+                            our support team at{" "}
+                            <a
+                                href="mailto:support@pangolin.net"
+                                className="text-primary font-medium"
+                            >
+                                support@pangolin.net
+                            </a>
+                            .
+                        </EmailText>
+
+                        <EmailFooter>
+                            <EmailSignature />
+                        </EmailFooter>
+                    </EmailContainer>
+                </Body>
+            </Tailwind>
+        </Html>
+    );
+};
+
+export default EnterpriseEditionKeyGenerated;
--- a/server/emails/templates/components/CopyCodeBox.tsx
+++ b/server/emails/templates/components/CopyCodeBox.tsx
@@ -1,6 +1,14 @@
 import React from "react";

-export default function CopyCodeBox({ text }: { text: string }) {
+const DEFAULT_HINT = "Copy and paste this code when prompted";
+
+export default function CopyCodeBox({
+    text,
+    hint
+}: {
+    text: string;
+    hint?: string;
+}) {
    return (
        <div className="inline-block">
            <div className="bg-gray-50 border border-gray-200 rounded-lg px-6 py-4 mx-auto">
@@ -8,9 +16,7 @@ export default function CopyCodeBox({ text }: { text: string }) {
                    {text}
                </span>
            </div>
-            <p className="text-xs text-gray-500 mt-2">
-                Copy and paste this code when prompted
-            </p>
+            <p className="text-xs text-gray-500 mt-2">{hint ?? DEFAULT_HINT}</p>
        </div>
    );
 }
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -105,11 +105,13 @@ function getOpenApiDocumentation() {
        servers: [{ url: "/v1" }]
    });

-    // convert to yaml and save to file
-    const outputPath = path.join(APP_PATH, "openapi.yaml");
-    const yamlOutput = yaml.dump(generated);
-    fs.writeFileSync(outputPath, yamlOutput, "utf8");
-    logger.info(`OpenAPI documentation saved to ${outputPath}`);
+    if (!process.env.DISABLE_GEN_OPENAPI) {
+        // convert to yaml and save to file
+        const outputPath = path.join(APP_PATH, "openapi.yaml");
+        const yamlOutput = yaml.dump(generated);
+        fs.writeFileSync(outputPath, yamlOutput, "utf8");
+        logger.info(`OpenAPI documentation saved to ${outputPath}`);
+    }

    return generated;
 }
--- a/server/lib/billing/features.ts
+++ b/server/lib/billing/features.ts
@@ -1,30 +1,41 @@
-import Stripe from "stripe";
-
 export enum FeatureId {
-    SITE_UPTIME = "siteUptime",
    USERS = "users",
+    SITES = "sites",
    EGRESS_DATA_MB = "egressDataMb",
    DOMAINS = "domains",
-    REMOTE_EXIT_NODES = "remoteExitNodes"
+    REMOTE_EXIT_NODES = "remoteExitNodes",
+    TIER1 = "tier1"
 }

-export const FeatureMeterIds: Record<FeatureId, string> = {
-    [FeatureId.SITE_UPTIME]: "mtr_61Srrej5wUJuiTWgo41D3Ee2Ir7WmDLU",
-    [FeatureId.USERS]: "mtr_61SrreISyIWpwUNGR41D3Ee2Ir7WmQro",
-    [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW",
-    [FeatureId.DOMAINS]: "mtr_61Ss9nIKDNMw0LDRU41D3Ee2Ir7WmRPU",
-    [FeatureId.REMOTE_EXIT_NODES]: "mtr_61T86UXnfxTVXy9sD41D3Ee2Ir7WmFTE"
+export async function getFeatureDisplayName(featureId: FeatureId): Promise<string> {
+    switch (featureId) {
+        case FeatureId.USERS:
+            return "Users";
+        case FeatureId.SITES:
+            return "Sites";
+        case FeatureId.EGRESS_DATA_MB:
+            return "Egress Data (MB)";
+        case FeatureId.DOMAINS:
+            return "Domains";
+        case FeatureId.REMOTE_EXIT_NODES:
+            return "Remote Exit Nodes";
+        case FeatureId.TIER1:
+            return "Home Lab";
+        default:
+            return featureId;
+    }
+}
+
+// this is from the old system
+export const FeatureMeterIds: Partial<Record<FeatureId, string>> = { // right now we are not charging for any data
+    // [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW"
 };

-export const FeatureMeterIdsSandbox: Record<FeatureId, string> = {
-    [FeatureId.SITE_UPTIME]: "mtr_test_61Snh3cees4w60gv841DCpkOb237BDEu",
-    [FeatureId.USERS]: "mtr_test_61Sn5fLtq1gSfRkyA41DCpkOb237B6au",
-    [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ",
-    [FeatureId.DOMAINS]: "mtr_test_61SsA8qrdAlgPpFRQ41DCpkOb237BGts",
-    [FeatureId.REMOTE_EXIT_NODES]: "mtr_test_61T86Vqmwa3D9ra3341DCpkOb237B94K"
+export const FeatureMeterIdsSandbox: Partial<Record<FeatureId, string>> = {
+    // [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ"
 };

-export function getFeatureMeterId(featureId: FeatureId): string {
+export function getFeatureMeterId(featureId: FeatureId): string | undefined {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
@@ -43,45 +54,81 @@ export function getFeatureIdByMetricId(
    )?.[0];
 }

-export type FeaturePriceSet = {
-    [key in Exclude<FeatureId, FeatureId.DOMAINS>]: string;
-} & {
-    [FeatureId.DOMAINS]?: string; // Optional since domains are not billed
+export type FeaturePriceSet = Partial<Record<FeatureId, string>>;
+
+export const homeLabFeaturePriceSet: FeaturePriceSet = {
+    [FeatureId.TIER1]: "price_1SzVE3D3Ee2Ir7Wm6wT5Dl3G"
 };

-export const standardFeaturePriceSet: FeaturePriceSet = {
-    // Free tier matches the freeLimitSet
-    [FeatureId.SITE_UPTIME]: "price_1RrQc4D3Ee2Ir7WmaJGZ3MtF",
-    [FeatureId.USERS]: "price_1RrQeJD3Ee2Ir7WmgveP3xea",
-    [FeatureId.EGRESS_DATA_MB]: "price_1RrQXFD3Ee2Ir7WmvGDlgxQk",
-    // [FeatureId.DOMAINS]: "price_1Rz3tMD3Ee2Ir7Wm5qLeASzC",
-    [FeatureId.REMOTE_EXIT_NODES]: "price_1S46weD3Ee2Ir7Wm94KEHI4h"
+export const homeLabFeaturePriceSetSandbox: FeaturePriceSet = {
+    [FeatureId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
 };

-export const standardFeaturePriceSetSandbox: FeaturePriceSet = {
-    // Free tier matches the freeLimitSet
-    [FeatureId.SITE_UPTIME]: "price_1RefFBDCpkOb237BPrKZ8IEU",
-    [FeatureId.USERS]: "price_1ReNa4DCpkOb237Bc67G5muF",
-    [FeatureId.EGRESS_DATA_MB]: "price_1Rfp9LDCpkOb237BwuN5Oiu0",
-    // [FeatureId.DOMAINS]: "price_1Ryi88DCpkOb237B2D6DM80b",
-    [FeatureId.REMOTE_EXIT_NODES]: "price_1RyiZvDCpkOb237BXpmoIYJL"
-};
-
-export function getStandardFeaturePriceSet(): FeaturePriceSet {
+export function getHomeLabFeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
-        return standardFeaturePriceSet;
+        return homeLabFeaturePriceSet;
    } else {
-        return standardFeaturePriceSetSandbox;
+        return homeLabFeaturePriceSetSandbox;
    }
 }

-export function getLineItems(
-    featurePriceSet: FeaturePriceSet
-): Stripe.Checkout.SessionCreateParams.LineItem[] {
-    return Object.entries(featurePriceSet).map(([featureId, priceId]) => ({
-        price: priceId
-    }));
+export const tier2FeaturePriceSet: FeaturePriceSet = {
+    [FeatureId.USERS]: "price_1SzVCcD3Ee2Ir7Wmn6U3KvPN"
+};
+
+export const tier2FeaturePriceSetSandbox: FeaturePriceSet = {
+    [FeatureId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
+};
+
+export function getStarterFeaturePriceSet(): FeaturePriceSet {
+    if (
+        process.env.ENVIRONMENT == "prod" &&
+        process.env.SANDBOX_MODE !== "true"
+    ) {
+        return tier2FeaturePriceSet;
+    } else {
+        return tier2FeaturePriceSetSandbox;
+    }
+}
+
+export const tier3FeaturePriceSet: FeaturePriceSet = {
+    [FeatureId.USERS]: "price_1SzVDKD3Ee2Ir7WmPtOKNusv"
+};
+
+export const tier3FeaturePriceSetSandbox: FeaturePriceSet = {
+    [FeatureId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
+};
+
+export function getScaleFeaturePriceSet(): FeaturePriceSet {
+    if (
+        process.env.ENVIRONMENT == "prod" &&
+        process.env.SANDBOX_MODE !== "true"
+    ) {
+        return tier3FeaturePriceSet;
+    } else {
+        return tier3FeaturePriceSetSandbox;
+    }
+}
+
+export function getFeatureIdByPriceId(priceId: string): FeatureId | undefined {
+    // Check all feature price sets
+    const allPriceSets = [
+        getHomeLabFeaturePriceSet(),
+        getStarterFeaturePriceSet(),
+        getScaleFeaturePriceSet()
+    ];
+
+    for (const priceSet of allPriceSets) {
+        const entry = (Object.entries(priceSet) as [FeatureId, string][]).find(
+            ([_, price]) => price === priceId
+        );
+        if (entry) {
+            return entry[0];
+        }
+    }
+
+    return undefined;
 }
--- a/server/lib/billing/getLineItems.ts
+++ b/server/lib/billing/getLineItems.ts
@@ -0,0 +1,25 @@
+import Stripe from "stripe";
+import { FeatureId, FeaturePriceSet } from "./features";
+import { usageService } from "./usageService";
+
+export async function getLineItems(
+    featurePriceSet: FeaturePriceSet,
+    orgId: string,
+): Promise<Stripe.Checkout.SessionCreateParams.LineItem[]> {
+    const users = await usageService.getUsage(orgId, FeatureId.USERS);
+
+    return Object.entries(featurePriceSet).map(([featureId, priceId]) => {
+        let quantity: number | undefined;
+
+        if (featureId === FeatureId.USERS) {
+            quantity = users?.instantaneousValue || 1;
+        } else if (featureId === FeatureId.TIER1) {
+            quantity = 1;
+        }
+
+        return {
+            price: priceId,
+            quantity: quantity
+        };
+    });
+}
--- a/server/lib/billing/licenses.ts
+++ b/server/lib/billing/licenses.ts
@@ -0,0 +1,37 @@
+export enum LicenseId {
+    SMALL_LICENSE = "small_license",
+    BIG_LICENSE = "big_license"
+}
+
+export type LicensePriceSet = {
+    [key in LicenseId]: string;
+};
+
+export const licensePriceSet: LicensePriceSet = {
+    // Free license matches the freeLimitSet
+    [LicenseId.SMALL_LICENSE]: "price_1SxKHiD3Ee2Ir7WmvtEh17A8",
+    [LicenseId.BIG_LICENSE]: "price_1SxKHiD3Ee2Ir7WmMUiP0H6Y"
+};
+
+export const licensePriceSetSandbox: LicensePriceSet = {
+    // Free license matches the freeLimitSet
+    // when matching license the keys closer to 0 index are matched first so list the licenses in descending order of value
+    [LicenseId.SMALL_LICENSE]: "price_1SxDwuDCpkOb237Bz0yTiOgN",
+    [LicenseId.BIG_LICENSE]: "price_1SxDy0DCpkOb237BWJxrxYkl"
+};
+
+export function getLicensePriceSet(
+    environment?: string,
+    sandbox_mode?: boolean
+): LicensePriceSet {
+    if (
+        (process.env.ENVIRONMENT == "prod" &&
+            process.env.SANDBOX_MODE !== "true") ||
+        (environment === "prod" && sandbox_mode !== true)
+    ) {
+        // THIS GETS LOADED CLIENT SIDE AND SERVER SIDE
+        return licensePriceSet;
+    } else {
+        return licensePriceSetSandbox;
+    }
+}
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -1,50 +1,67 @@
 import { FeatureId } from "./features";

-export type LimitSet = {
+export type LimitSet = Partial<{
    [key in FeatureId]: {
        value: number | null; // null indicates no limit
        description?: string;
    };
-};
+}>;

 export const sandboxLimitSet: LimitSet = {
-    [FeatureId.SITE_UPTIME]: { value: 2880, description: "Sandbox limit" }, // 1 site up for 2 days
    [FeatureId.USERS]: { value: 1, description: "Sandbox limit" },
-    [FeatureId.EGRESS_DATA_MB]: { value: 1000, description: "Sandbox limit" }, // 1 GB
+    [FeatureId.SITES]: { value: 1, description: "Sandbox limit" },
    [FeatureId.DOMAINS]: { value: 0, description: "Sandbox limit" },
-    [FeatureId.REMOTE_EXIT_NODES]: { value: 0, description: "Sandbox limit" }
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 0, description: "Sandbox limit" },
 };

 export const freeLimitSet: LimitSet = {
-    [FeatureId.SITE_UPTIME]: { value: 46080, description: "Free tier limit" }, // 1 site up for 32 days
-    [FeatureId.USERS]: { value: 3, description: "Free tier limit" },
-    [FeatureId.EGRESS_DATA_MB]: {
-        value: 25000,
-        description: "Free tier limit"
-    }, // 25 GB
-    [FeatureId.DOMAINS]: { value: 3, description: "Free tier limit" },
-    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Free tier limit" }
+    [FeatureId.USERS]: { value: 5, description: "Starter limit" },
+    [FeatureId.SITES]: { value: 5, description: "Starter limit" },
+    [FeatureId.DOMAINS]: { value: 5, description: "Starter limit" },
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Starter limit" },
 };

-export const subscribedLimitSet: LimitSet = {
-    [FeatureId.SITE_UPTIME]: {
-        value: 2232000,
-        description: "Contact us to increase soft limit."
-    }, // 50 sites up for 31 days
+export const tier1LimitSet: LimitSet = {
+    [FeatureId.USERS]: { value: 7, description: "Home limit" },
+    [FeatureId.SITES]: { value: 10, description: "Home limit" },
+    [FeatureId.DOMAINS]: { value: 10, description: "Home limit" },
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Home limit" },
+};
+
+export const tier2LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 150,
-        description: "Contact us to increase soft limit."
+        value: 100,
+        description: "Team limit"
+    },
+    [FeatureId.SITES]: {
+        value: 50,
+        description: "Team limit"
    },
-    [FeatureId.EGRESS_DATA_MB]: {
-        value: 12000000,
-        description: "Contact us to increase soft limit."
-    }, // 12000 GB
    [FeatureId.DOMAINS]: {
-        value: 25,
-        description: "Contact us to increase soft limit."
+        value: 50,
+        description: "Team limit"
    },
    [FeatureId.REMOTE_EXIT_NODES]: {
-        value: 5,
-        description: "Contact us to increase soft limit."
-    }
+        value: 3,
+        description: "Team limit"
+    },
+};
+
+export const tier3LimitSet: LimitSet = {
+    [FeatureId.USERS]: {
+        value: 500,
+        description: "Business limit"
+    },
+    [FeatureId.SITES]: {
+        value: 250,
+        description: "Business limit"
+    },
+    [FeatureId.DOMAINS]: {
+        value: 100,
+        description: "Business limit"
+    },
+    [FeatureId.REMOTE_EXIT_NODES]: {
+        value: 20,
+        description: "Business limit"
+    },
 };
--- a/server/lib/billing/limitsService.ts
+++ b/server/lib/billing/limitsService.ts
@@ -2,6 +2,7 @@ import { db, limits } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import { LimitSet } from "./limitSet";
 import { FeatureId } from "./features";
+import logger from "@server/logger";

 class LimitService {
    async applyLimitSetToOrg(orgId: string, limitSet: LimitSet): Promise<void> {
@@ -13,6 +14,21 @@ class LimitService {
            for (const [featureId, entry] of limitEntries) {
                const limitId = `${orgId}-${featureId}`;
                const { value, description } = entry;
+                // get the limit first
+                const [limit] = await trx
+                    .select()
+                    .from(limits)
+                    .where(eq(limits.limitId, limitId))
+                    .limit(1);
+
+                // check if its overriden
+                if (limit && limit.override) {
+                    logger.debug(
+                        `Skipping limit ${limitId} for org ${orgId} since it is overridden...`
+                    );
+                    continue;
+                }
+
                await trx
                    .insert(limits)
                    .values({ limitId, orgId, featureId, value, description });
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -0,0 +1,50 @@
+import { Tier } from "@server/types/Tiers";
+
+export enum TierFeature {
+    OrgOidc = "orgOidc",
+    LoginPageDomain = "loginPageDomain", // handle downgrade by removing custom domain
+    DeviceApprovals = "deviceApprovals", // handle downgrade by disabling device approvals
+    LoginPageBranding = "loginPageBranding", // handle downgrade by setting to default branding
+    LogExport = "logExport",
+    AccessLogs = "accessLogs", // set the retention period to none on downgrade
+    ActionLogs = "actionLogs", // set the retention period to none on downgrade
+    RotateCredentials = "rotateCredentials",
+    MaintencePage = "maintencePage", // handle downgrade
+    DevicePosture = "devicePosture",
+    TwoFactorEnforcement = "twoFactorEnforcement", // handle downgrade by setting to optional
+    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
+    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
+    AutoProvisioning = "autoProvisioning" // handle downgrade by disabling auto provisioning
+}
+
+export const tierMatrix: Record<TierFeature, Tier[]> = {
+    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.LoginPageBranding]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.LogExport]: ["tier3", "enterprise"],
+    [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.TwoFactorEnforcement]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ],
+    [TierFeature.SessionDurationPolicies]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ],
+    [TierFeature.PasswordExpirationPolicies]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ],
+    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"]
+};
--- a/server/lib/billing/tiers.ts
+++ b/server/lib/billing/tiers.ts
@@ -1,34 +0,0 @@
-export enum TierId {
-    STANDARD = "standard"
-}
-
-export type TierPriceSet = {
-    [key in TierId]: string;
-};
-
-export const tierPriceSet: TierPriceSet = {
-    // Free tier matches the freeLimitSet
-    [TierId.STANDARD]: "price_1RrQ9cD3Ee2Ir7Wmqdy3KBa0"
-};
-
-export const tierPriceSetSandbox: TierPriceSet = {
-    // Free tier matches the freeLimitSet
-    // when matching tier the keys closer to 0 index are matched first so list the tiers in descending order of value
-    [TierId.STANDARD]: "price_1RrAYJDCpkOb237By2s1P32m"
-};
-
-export function getTierPriceSet(
-    environment?: string,
-    sandbox_mode?: boolean
-): TierPriceSet {
-    if (
-        (process.env.ENVIRONMENT == "prod" &&
-            process.env.SANDBOX_MODE !== "true") ||
-        (environment === "prod" && sandbox_mode !== true)
-    ) {
-        // THIS GETS LOADED CLIENT SIDE AND SERVER SIDE
-        return tierPriceSet;
-    } else {
-        return tierPriceSetSandbox;
-    }
-}
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -1,8 +1,6 @@
 import { eq, sql, and } from "drizzle-orm";
 import { v4 as uuidv4 } from "uuid";
 import { PutObjectCommand } from "@aws-sdk/client-s3";
-import * as fs from "fs/promises";
-import * as path from "path";
 import {
    db,
    usage,
@@ -32,11 +30,7 @@ interface StripeEvent {
 }

 export function noop() {
-    if (
-        build !== "saas" ||
-        !process.env.S3_BUCKET ||
-        !process.env.LOCAL_FILE_PATH
-    ) {
+    if (build !== "saas") {
        return true;
    }
    return false;
@@ -44,31 +38,40 @@ export function noop() {

 export class UsageService {
    private bucketName: string | undefined;
-    private currentEventFile: string | null = null;
-    private currentFileStartTime: number = 0;
-    private eventsDir: string | undefined;
-    private uploadingFiles: Set<string> = new Set();
+    private events: StripeEvent[] = [];
+    private lastUploadTime: number = Date.now();
+    private isUploading: boolean = false;

    constructor() {
        if (noop()) {
            return;
        }
-        // this.bucketName = privateConfig.getRawPrivateConfig().stripe?.s3Bucket;
-        // this.eventsDir = privateConfig.getRawPrivateConfig().stripe?.localFilePath;
-        this.bucketName = process.env.S3_BUCKET || undefined;
-        this.eventsDir = process.env.LOCAL_FILE_PATH || undefined;

-        // Ensure events directory exists
-        this.initializeEventsDirectory().then(() => {
-            this.uploadPendingEventFilesOnStartup();
-        });
+        // this.bucketName = process.env.S3_BUCKET || undefined;

-        // Periodically check for old event files to upload
-        setInterval(() => {
-            this.uploadOldEventFiles().catch((err) => {
-                logger.error("Error in periodic event file upload:", err);
-            });
-        }, 30000); // every 30 seconds
+        // // Periodically check and upload events
+        // setInterval(() => {
+        //     this.checkAndUploadEvents().catch((err) => {
+        //         logger.error("Error in periodic event upload:", err);
+        //     });
+        // }, 30000); // every 30 seconds
+
+        // // Handle graceful shutdown on SIGTERM
+        // process.on("SIGTERM", async () => {
+        //     logger.info(
+        //         "SIGTERM received, uploading events before shutdown..."
+        //     );
+        //     await this.forceUpload();
+        //     logger.info("Events uploaded, proceeding with shutdown");
+        // });
+
+        // // Handle SIGINT as well (Ctrl+C)
+        // process.on("SIGINT", async () => {
+        //     logger.info("SIGINT received, uploading events before shutdown...");
+        //     await this.forceUpload();
+        //     logger.info("Events uploaded, proceeding with shutdown");
+        //     process.exit(0);
+        // });
    }

    /**
@@ -78,85 +81,6 @@ export class UsageService {
        return Math.round(value * 100000000000) / 100000000000; // 11 decimal places
    }

-    private async initializeEventsDirectory(): Promise<void> {
-        if (!this.eventsDir) {
-            logger.warn(
-                "Stripe local file path is not configured, skipping events directory initialization."
-            );
-            return;
-        }
-        try {
-            await fs.mkdir(this.eventsDir, { recursive: true });
-        } catch (error) {
-            logger.error("Failed to create events directory:", error);
-        }
-    }
-
-    private async uploadPendingEventFilesOnStartup(): Promise<void> {
-        if (!this.eventsDir || !this.bucketName) {
-            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping leftover event file upload."
-            );
-            return;
-        }
-        try {
-            const files = await fs.readdir(this.eventsDir);
-            for (const file of files) {
-                if (file.endsWith(".json")) {
-                    const filePath = path.join(this.eventsDir, file);
-                    try {
-                        const fileContent = await fs.readFile(
-                            filePath,
-                            "utf-8"
-                        );
-                        const events = JSON.parse(fileContent);
-                        if (Array.isArray(events) && events.length > 0) {
-                            // Upload to S3
-                            const uploadCommand = new PutObjectCommand({
-                                Bucket: this.bucketName,
-                                Key: file,
-                                Body: fileContent,
-                                ContentType: "application/json"
-                            });
-                            await s3Client.send(uploadCommand);
-
-                            // Check if file still exists before unlinking
-                            try {
-                                await fs.access(filePath);
-                                await fs.unlink(filePath);
-                            } catch (unlinkError) {
-                                logger.debug(
-                                    `Startup file ${file} was already deleted`
-                                );
-                            }
-
-                            logger.info(
-                                `Uploaded leftover event file ${file} to S3 with ${events.length} events`
-                            );
-                        } else {
-                            // Remove empty file
-                            try {
-                                await fs.access(filePath);
-                                await fs.unlink(filePath);
-                            } catch (unlinkError) {
-                                logger.debug(
-                                    `Empty startup file ${file} was already deleted`
-                                );
-                            }
-                        }
-                    } catch (err) {
-                        logger.error(
-                            `Error processing leftover event file ${file}:`,
-                            err
-                        );
-                    }
-                }
-            }
-        } catch (error) {
-            logger.error("Failed to scan for leftover event files");
-        }
-    }
-
    public async add(
        orgId: string,
        featureId: FeatureId,
@@ -206,7 +130,9 @@ export class UsageService {
                }

                // Log event for Stripe
-                await this.logStripeEvent(featureId, value, customerId);
+                // if (privateConfig.getRawPrivateConfig().flags.usage_reporting) {
+                //     await this.logStripeEvent(featureId, value, customerId);
+                // }

                return usage || null;
            } catch (error: any) {
@@ -286,7 +212,7 @@ export class UsageService {
        return new Date(date * 1000).toISOString().split("T")[0];
    }

-    async updateDaily(
+    async updateCount(
        orgId: string,
        featureId: FeatureId,
        value?: number,
@@ -312,8 +238,6 @@ export class UsageService {
                value = this.truncateValue(value);
            }

-            const today = this.getTodayDateString();
-
            let currentUsage: Usage | null = null;

            await db.transaction(async (trx) => {
@@ -327,66 +251,34 @@ export class UsageService {
                    .limit(1);

                if (currentUsage) {
-                    const lastUpdateDate = this.getDateString(
-                        currentUsage.updatedAt
-                    );
-                    const currentRunningTotal = currentUsage.latestValue;
-                    const lastDailyValue = currentUsage.instantaneousValue || 0;
-
-                    if (value == undefined || value === null) {
-                        value = currentUsage.instantaneousValue || 0;
-                    }
-
-                    if (lastUpdateDate === today) {
-                        // Same day update: replace the daily value
-                        // Remove old daily value from running total, add new value
-                        const newRunningTotal = this.truncateValue(
-                            currentRunningTotal - lastDailyValue + value
-                        );
-
-                        await trx
-                            .update(usage)
-                            .set({
-                                latestValue: newRunningTotal,
-                                instantaneousValue: value,
-                                updatedAt: Math.floor(Date.now() / 1000)
-                            })
-                            .where(eq(usage.usageId, usageId));
-                    } else {
-                        // New day: add to running total
-                        const newRunningTotal = this.truncateValue(
-                            currentRunningTotal + value
-                        );
-
-                        await trx
-                            .update(usage)
-                            .set({
-                                latestValue: newRunningTotal,
-                                instantaneousValue: value,
-                                updatedAt: Math.floor(Date.now() / 1000)
-                            })
-                            .where(eq(usage.usageId, usageId));
-                    }
+                    await trx
+                        .update(usage)
+                        .set({
+                            instantaneousValue: value,
+                            updatedAt: Math.floor(Date.now() / 1000)
+                        })
+                        .where(eq(usage.usageId, usageId));
                } else {
                    // First record for this meter
                    const meterId = getFeatureMeterId(featureId);
-                    const truncatedValue = this.truncateValue(value || 0);
                    await trx.insert(usage).values({
                        usageId,
                        featureId,
                        orgId,
                        meterId,
-                        instantaneousValue: truncatedValue,
-                        latestValue: truncatedValue,
+                        instantaneousValue: value || 0,
+                        latestValue: value || 0,
                        updatedAt: Math.floor(Date.now() / 1000)
                    });
                }
            });

-            await this.logStripeEvent(featureId, value || 0, customerId);
+            // if (privateConfig.getRawPrivateConfig().flags.usage_reporting) {
+            //     await this.logStripeEvent(featureId, value || 0, customerId);
+            // }
        } catch (error) {
            logger.error(
-                `Failed to update daily usage for ${orgId}/${featureId}:`,
+                `Failed to update count usage for ${orgId}/${featureId}:`,
                error
            );
        }
@@ -450,121 +342,58 @@ export class UsageService {
            }
        };

-        await this.writeEventToFile(event);
-        await this.checkAndUploadFile();
+        this.addEventToMemory(event);
+        await this.checkAndUploadEvents();
    }

-    private async writeEventToFile(event: StripeEvent): Promise<void> {
-        if (!this.eventsDir || !this.bucketName) {
+    private addEventToMemory(event: StripeEvent): void {
+        if (!this.bucketName) {
            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping event file write."
+                "S3 bucket name is not configured, skipping event storage."
            );
            return;
        }
-        if (!this.currentEventFile) {
-            this.currentEventFile = this.generateEventFileName();
-            this.currentFileStartTime = Date.now();
-        }
-
-        const filePath = path.join(this.eventsDir, this.currentEventFile);
-
-        try {
-            let events: StripeEvent[] = [];
-
-            // Try to read existing file
-            try {
-                const fileContent = await fs.readFile(filePath, "utf-8");
-                events = JSON.parse(fileContent);
-            } catch (error) {
-                // File doesn't exist or is empty, start with empty array
-                events = [];
-            }
-
-            // Add new event
-            events.push(event);
-
-            // Write back to file
-            await fs.writeFile(filePath, JSON.stringify(events, null, 2));
-        } catch (error) {
-            logger.error("Failed to write event to file:", error);
-        }
+        this.events.push(event);
    }

-    private async checkAndUploadFile(): Promise<void> {
-        if (!this.currentEventFile) {
-            return;
-        }
-
+    private async checkAndUploadEvents(): Promise<void> {
        const now = Date.now();
-        const fileAge = now - this.currentFileStartTime;
+        const timeSinceLastUpload = now - this.lastUploadTime;

-        // Check if file is at least 1 minute old
-        if (fileAge >= 60000) {
-            // 60 seconds
-            await this.uploadFileToS3();
+        // Check if at least 1 minute has passed since last upload
+        if (timeSinceLastUpload >= 60000 && this.events.length > 0) {
+            await this.uploadEventsToS3();
        }
    }

-    private async uploadFileToS3(): Promise<void> {
-        if (!this.bucketName || !this.eventsDir) {
+    private async uploadEventsToS3(): Promise<void> {
+        if (!this.bucketName) {
            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping S3 upload."
-            );
-            return;
-        }
-        if (!this.currentEventFile) {
-            return;
-        }
-
-        const fileName = this.currentEventFile;
-        const filePath = path.join(this.eventsDir, fileName);
-
-        // Check if this file is already being uploaded
-        if (this.uploadingFiles.has(fileName)) {
-            logger.debug(
-                `File ${fileName} is already being uploaded, skipping`
+                "S3 bucket name is not configured, skipping S3 upload."
            );
            return;
        }

-        // Mark file as being uploaded
-        this.uploadingFiles.add(fileName);
+        if (this.events.length === 0) {
+            return;
+        }
+
+        // Check if already uploading
+        if (this.isUploading) {
+            logger.debug("Already uploading events, skipping");
+            return;
+        }
+
+        this.isUploading = true;

        try {
-            // Check if file exists before trying to read it
-            try {
-                await fs.access(filePath);
-            } catch (error) {
-                logger.debug(
-                    `File ${fileName} does not exist, may have been already processed`
-                );
-                this.uploadingFiles.delete(fileName);
-                // Reset current file if it was this file
-                if (this.currentEventFile === fileName) {
-                    this.currentEventFile = null;
-                    this.currentFileStartTime = 0;
-                }
-                return;
-            }
+            // Take a snapshot of current events and clear the array
+            const eventsToUpload = [...this.events];
+            this.events = [];
+            this.lastUploadTime = Date.now();

-            // Check if file exists and has content
-            const fileContent = await fs.readFile(filePath, "utf-8");
-            const events = JSON.parse(fileContent);
-
-            if (events.length === 0) {
-                // No events to upload, just clean up
-                try {
-                    await fs.unlink(filePath);
-                } catch (unlinkError) {
-                    // File may have been already deleted
-                    logger.debug(
-                        `File ${fileName} was already deleted during cleanup`
-                    );
-                }
-                this.currentEventFile = null;
-                this.uploadingFiles.delete(fileName);
-                return;
-            }
+            const fileName = this.generateEventFileName();
+            const fileContent = JSON.stringify(eventsToUpload, null, 2);

            // Upload to S3
            const uploadCommand = new PutObjectCommand({
@@ -576,29 +405,15 @@ export class UsageService {

            await s3Client.send(uploadCommand);

-            // Clean up local file - check if it still exists before unlinking
-            try {
-                await fs.access(filePath);
-                await fs.unlink(filePath);
-            } catch (unlinkError) {
-                // File may have been already deleted by another process
-                logger.debug(
-                    `File ${fileName} was already deleted during upload`
-                );
-            }
-
            logger.info(
-                `Uploaded ${fileName} to S3 with ${events.length} events`
+                `Uploaded ${fileName} to S3 with ${eventsToUpload.length} events`
            );
-
-            // Reset for next file
-            this.currentEventFile = null;
-            this.currentFileStartTime = 0;
        } catch (error) {
-            logger.error(`Failed to upload ${fileName} to S3:`, error);
+            logger.error("Failed to upload events to S3:", error);
+            // Note: Events are lost if upload fails. In a production system,
+            // you might want to add the events back to the array or implement retry logic
        } finally {
-            // Always remove from uploading set
-            this.uploadingFiles.delete(fileName);
+            this.isUploading = false;
        }
    }

@@ -683,129 +498,16 @@ export class UsageService {
        }
    }

-    public async getUsageDaily(
-        orgId: string,
-        featureId: FeatureId
-    ): Promise<Usage | null> {
-        if (noop()) {
-            return null;
-        }
-        await this.updateDaily(orgId, featureId); // Ensure daily usage is updated
-        return this.getUsage(orgId, featureId);
-    }
-
    public async forceUpload(): Promise<void> {
-        await this.uploadFileToS3();
-    }
-
-    /**
-     * Scan the events directory for files older than 1 minute and upload them if not empty.
-     */
-    private async uploadOldEventFiles(): Promise<void> {
-        if (!this.eventsDir || !this.bucketName) {
-            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping old event file upload."
-            );
-            return;
-        }
-        try {
-            const files = await fs.readdir(this.eventsDir);
-            const now = Date.now();
-            for (const file of files) {
-                if (!file.endsWith(".json")) continue;
-
-                // Skip files that are already being uploaded
-                if (this.uploadingFiles.has(file)) {
-                    logger.debug(
-                        `Skipping file ${file} as it's already being uploaded`
-                    );
-                    continue;
-                }
-
-                const filePath = path.join(this.eventsDir, file);
-
-                try {
-                    // Check if file still exists before processing
-                    try {
-                        await fs.access(filePath);
-                    } catch (accessError) {
-                        logger.debug(`File ${file} does not exist, skipping`);
-                        continue;
-                    }
-
-                    const stat = await fs.stat(filePath);
-                    const age = now - stat.mtimeMs;
-                    if (age >= 90000) {
-                        // 1.5 minutes - Mark as being uploaded
-                        this.uploadingFiles.add(file);
-
-                        try {
-                            const fileContent = await fs.readFile(
-                                filePath,
-                                "utf-8"
-                            );
-                            const events = JSON.parse(fileContent);
-                            if (Array.isArray(events) && events.length > 0) {
-                                // Upload to S3
-                                const uploadCommand = new PutObjectCommand({
-                                    Bucket: this.bucketName,
-                                    Key: file,
-                                    Body: fileContent,
-                                    ContentType: "application/json"
-                                });
-                                await s3Client.send(uploadCommand);
-
-                                // Check if file still exists before unlinking
-                                try {
-                                    await fs.access(filePath);
-                                    await fs.unlink(filePath);
-                                } catch (unlinkError) {
-                                    logger.debug(
-                                        `File ${file} was already deleted during interval upload`
-                                    );
-                                }
-
-                                logger.info(
-                                    `Interval: Uploaded event file ${file} to S3 with ${events.length} events`
-                                );
-                                // If this was the current event file, reset it
-                                if (this.currentEventFile === file) {
-                                    this.currentEventFile = null;
-                                    this.currentFileStartTime = 0;
-                                }
-                            } else {
-                                // Remove empty file
-                                try {
-                                    await fs.access(filePath);
-                                    await fs.unlink(filePath);
-                                } catch (unlinkError) {
-                                    logger.debug(
-                                        `Empty file ${file} was already deleted`
-                                    );
-                                }
-                            }
-                        } finally {
-                            // Always remove from uploading set
-                            this.uploadingFiles.delete(file);
-                        }
-                    }
-                } catch (err) {
-                    logger.error(
-                        `Interval: Error processing event file ${file}:`,
-                        err
-                    );
-                    // Remove from uploading set on error
-                    this.uploadingFiles.delete(file);
-                }
-            }
-        } catch (err) {
-            logger.error("Interval: Failed to scan for event files:", err);
+        if (this.events.length > 0) {
+            // Force upload regardless of time
+            this.lastUploadTime = 0; // Reset to force upload
+            await this.uploadEventsToS3();
        }
    }

    public async checkLimitSet(
        orgId: string,
-        kickSites = false,
        featureId?: FeatureId,
        usage?: Usage,
        trx: Transaction | typeof db = db
@@ -879,58 +581,6 @@ export class UsageService {
                    break; // Exit early if any limit is exceeded
                }
            }
-
-            // If any limits are exceeded, disconnect all sites for this organization
-            if (hasExceededLimits && kickSites) {
-                logger.warn(
-                    `Disconnecting all sites for org ${orgId} due to exceeded limits`
-                );
-
-                // Get all sites for this organization
-                const orgSites = await trx
-                    .select()
-                    .from(sites)
-                    .where(eq(sites.orgId, orgId));
-
-                // Mark all sites as offline and send termination messages
-                const siteUpdates = orgSites.map((site) => site.siteId);
-
-                if (siteUpdates.length > 0) {
-                    // Send termination messages to newt sites
-                    for (const site of orgSites) {
-                        if (site.type === "newt") {
-                            const [newt] = await trx
-                                .select()
-                                .from(newts)
-                                .where(eq(newts.siteId, site.siteId))
-                                .limit(1);
-
-                            if (newt) {
-                                const payload = {
-                                    type: `newt/wg/terminate`,
-                                    data: {
-                                        reason: "Usage limits exceeded"
-                                    }
-                                };
-
-                                // Don't await to prevent blocking
-                                await sendToClient(newt.newtId, payload).catch(
-                                    (error: any) => {
-                                        logger.error(
-                                            `Failed to send termination message to newt ${newt.newtId}:`,
-                                            error
-                                        );
-                                    }
-                                );
-                            }
-                        }
-                    }
-
-                    logger.info(
-                        `Disconnected ${orgSites.length} sites for org ${orgId} due to exceeded limits`
-                    );
-                }
-            }
        } catch (error) {
            logger.error(`Error checking limits for org ${orgId}:`, error);
        }
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -31,8 +31,8 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import { isLicensedOrSubscribed } from "../isLicencedOrSubscribed";
-import { build } from "@server/build";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "../billing/tierMatrix";

 export type ProxyResourcesResults = {
    proxyResource: Resource;
@@ -212,12 +212,8 @@ export async function updateProxyResources(
            } else {
                // Update existing resource

-                const isLicensed = await isLicensedOrSubscribed(orgId);
-                if (build == "enterprise" && !isLicensed) {
-                    logger.warn(
-                        "Server is not licensed! Clearing set maintenance screen values"
-                    );
-                    // null the maintenance mode fields if not licensed
+                const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
+                if (!isLicensed) {
                    resourceData.maintenance = undefined;
                }

@@ -587,13 +583,15 @@ export async function updateProxyResources(

            // Sync rules
            for (const [index, rule] of resourceData.rules?.entries() || []) {
+                const intendedPriority = rule.priority ?? index + 1;
                const existingRule = existingRules[index];
                if (existingRule) {
                    if (
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
                        existingRule.value !==
-                            getRuleValue(rule.match.toUpperCase(), rule.value)
+                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
+                        existingRule.priority !== intendedPriority
                    ) {
                        validateRule(rule);
                        await trx
@@ -604,7 +602,8 @@ export async function updateProxyResources(
                                value: getRuleValue(
                                    rule.match.toUpperCase(),
                                    rule.value
-                                )
+                                ),
+                                priority: intendedPriority
                            })
                            .where(
                                eq(resourceRules.ruleId, existingRule.ruleId)
@@ -620,7 +619,7 @@ export async function updateProxyResources(
                            rule.match.toUpperCase(),
                            rule.value
                        ),
-                        priority: index + 1 // start priorities at 1
+                        priority: intendedPriority
                    });
                }
            }
@@ -649,12 +648,8 @@ export async function updateProxyResources(
                );
            }

-            const isLicensed = await isLicensedOrSubscribed(orgId);
-            if (build == "enterprise" && !isLicensed) {
-                logger.warn(
-                    "Server is not licensed! Clearing set maintenance screen values"
-                );
-                // null the maintenance mode fields if not licensed
+            const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
+            if (!isLicensed) {
                resourceData.maintenance = undefined;
            }

@@ -809,7 +804,7 @@ export async function updateProxyResources(
                    action: getRuleAction(rule.action),
                    match: rule.match.toUpperCase(),
                    value: getRuleValue(rule.match.toUpperCase(), rule.value),
-                    priority: index + 1 // start priorities at 1
+                    priority: rule.priority ?? index + 1
                });
            }

--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -78,7 +78,8 @@ export const RuleSchema = z
    .object({
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn"]),
-        value: z.string()
+        value: z.string(),
+        priority: z.int().optional()
    })
    .refine(
        (rule) => {
@@ -268,6 +269,39 @@ export const ResourceSchema = z
            path: ["auth"],
            error: "When protocol is 'tcp' or 'udp', 'auth' must not be provided"
        }
+    )
+    .refine(
+        (resource) => {
+            // Skip validation for targets-only resources
+            if (isTargetsOnlyResource(resource)) {
+                return true;
+            }
+            // Skip validation if no rules are defined
+            if (!resource.rules || resource.rules.length === 0) return true;
+
+            const finalPriorities: number[] = [];
+            let priorityCounter = 1;
+
+            // Gather priorities, assigning auto-priorities where needed
+            // following the logic from the backend implementation where
+            // empty priorities are auto-assigned a value of 1 + index of rule
+            for (const rule of resource.rules) {
+                if (rule.priority !== undefined) {
+                    finalPriorities.push(rule.priority);
+                } else {
+                    finalPriorities.push(priorityCounter);
+                }
+                priorityCounter++;
+            }
+
+            // Validate for duplicate priorities
+            return finalPriorities.length === new Set(finalPriorities).size;
+        },
+        {
+            path: ["rules"],
+            message:
+                "Rules have conflicting or invalid priorities (must be unique, including auto-assigned ones)"
+        }
    );

 export function isTargetsOnlyResource(resource: any): boolean {
@@ -290,8 +324,8 @@ export const ClientResourceSchema = z
        alias: z
            .string()
            .regex(
-                /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
-                "Alias must be a fully qualified domain name (e.g., example.com)"
+                /^(?:[a-zA-Z0-9*?](?:[a-zA-Z0-9*?-]{0,61}[a-zA-Z0-9*?])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
+                "Alias must be a fully qualified domain name with optional wildcards (e.g., example.com, *.example.com, host-0?.example.internal)"
            )
            .optional(),
        roles: z
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -1,21 +1,26 @@
+import { listExitNodes } from "#dynamic/lib/exitNodes";
+import { build } from "@server/build";
 import {
+    approvals,
    clients,
    db,
    olms,
    orgs,
    roleClients,
    roles,
+    Transaction,
    userClients,
-    userOrgs,
-    Transaction
+    userOrgs
 } from "@server/db";
-import { eq, and, notInArray } from "drizzle-orm";
-import { listExitNodes } from "#dynamic/lib/exitNodes";
-import { getNextAvailableClientSubnet } from "@server/lib/ip";
-import logger from "@server/logger";
-import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
-import { sendTerminateClient } from "@server/routers/client/terminate";
 import { getUniqueClientName } from "@server/db/names";
+import { getNextAvailableClientSubnet } from "@server/lib/ip";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import logger from "@server/logger";
+import { sendTerminateClient } from "@server/routers/client/terminate";
+import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
+import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
+import { OlmErrorCodes } from "@server/routers/olm/error";
+import { tierMatrix } from "./billing/tierMatrix";

 export async function calculateUserClientsForOrgs(
    userId: string,
@@ -38,13 +43,15 @@ export async function calculateUserClientsForOrgs(
        const allUserOrgs = await transaction
            .select()
            .from(userOrgs)
+            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
            .where(eq(userOrgs.userId, userId));

-        const userOrgIds = allUserOrgs.map((uo) => uo.orgId);
+        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);

        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const userOrg of allUserOrgs) {
+            for (const userRoleOrg of allUserOrgs) {
+                const { userOrgs: userOrg, roles: role } = userRoleOrg;
                const orgId = userOrg.orgId;

                const [org] = await transaction
@@ -182,21 +189,47 @@ export async function calculateUserClientsForOrgs(

                const niceId = await getUniqueClientName(orgId);

+                const isOrgLicensed = await isLicensedOrSubscribed(
+                    userOrg.orgId,
+                    tierMatrix.deviceApprovals
+                );
+                const requireApproval =
+                    build !== "oss" &&
+                    isOrgLicensed &&
+                    role.requireDeviceApproval;
+
+                const newClientData: InferInsertModel<typeof clients> = {
+                    userId,
+                    orgId: userOrg.orgId,
+                    exitNodeId: randomExitNode.exitNodeId,
+                    name: olm.name || "User Client",
+                    subnet: updatedSubnet,
+                    olmId: olm.olmId,
+                    type: "olm",
+                    niceId,
+                    approvalState: requireApproval ? "pending" : null
+                };
+
                // Create the client
                const [newClient] = await transaction
                    .insert(clients)
-                    .values({
-                        userId,
-                        orgId: userOrg.orgId,
-                        exitNodeId: randomExitNode.exitNodeId,
-                        name: olm.name || "User Client",
-                        subnet: updatedSubnet,
-                        olmId: olm.olmId,
-                        type: "olm",
-                        niceId
-                    })
+                    .values(newClientData)
                    .returning();

+                // create approval request
+                if (requireApproval) {
+                    await transaction
+                        .insert(approvals)
+                        .values({
+                            timestamp: Math.floor(new Date().getTime() / 1000),
+                            orgId: userOrg.orgId,
+                            clientId: newClient.clientId,
+                            userId,
+                            type: "user_device"
+                        })
+                        .returning();
+                }
+
                await rebuildClientAssociationsFromClient(
                    newClient,
                    transaction
@@ -275,6 +308,7 @@ async function cleanupOrphanedClients(
            if (deletedClient.olmId) {
                await sendTerminateClient(
                    deletedClient.clientId,
+                    OlmErrorCodes.TERMINATED_DELETED,
                    deletedClient.olmId
                );
            }
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -3,6 +3,7 @@ import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAu
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
 import { gt, or } from "drizzle-orm";
+import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";

 export function initLogCleanupInterval() {
    return setInterval(
@@ -26,6 +27,7 @@ export function initLogCleanupInterval() {
                    )
                );

+            // TODO: handle when there are multiple nodes doing this clearing using redis
            for (const org of orgsToClean) {
                const {
                    orgId,
@@ -55,6 +57,8 @@ export function initLogCleanupInterval() {
                    );
                }
            }
+
+            await cleanUpOldFingerprintSnapshots(365);
        },
        3 * 60 * 60 * 1000
    ); // every 3 hours
--- a/server/lib/config.ts
+++ b/server/lib/config.ts
@@ -107,6 +107,11 @@ export class Config {
            process.env.MAXMIND_ASN_PATH = parsedConfig.server.maxmind_asn_path;
        }

+        process.env.DISABLE_ENTERPRISE_FEATURES = parsedConfig.flags
+            ?.disable_enterprise_features
+            ? "true"
+            : "false";
+
        this.rawConfig = parsedConfig;
    }

--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.14.0";
+export const APP_VERSION = "1.15.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/createUserAccountOrg.ts
+++ b/server/lib/createUserAccountOrg.ts
@@ -182,7 +182,7 @@ export async function createUserAccountOrg(
    const customerId = await createCustomer(orgId, userEmail);

    if (customerId) {
-        await usageService.updateDaily(orgId, FeatureId.USERS, 1, customerId); // Only 1 because we are crating the org
+        await usageService.updateCount(orgId, FeatureId.USERS, 1, customerId); // Only 1 because we are crating the org
    }

    return {
--- a/server/lib/getEnvOrYaml.ts
+++ b/server/lib/getEnvOrYaml.ts
@@ -0,0 +1,3 @@
+export const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
+    return process.env[envVar] ?? valFromYaml;
+};
--- a/server/lib/isLicencedOrSubscribed.ts
+++ b/server/lib/isLicencedOrSubscribed.ts
@@ -1,17 +1,8 @@
-import { build } from "@server/build";
-import license from "#dynamic/license/license";
-import { getOrgTierData } from "#dynamic/lib/billing";
-import { TierId } from "@server/lib/billing/tiers";
+import { Tier } from "@server/types/Tiers";

-export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
-    if (build === "enterprise") {
-        return await license.isUnlocked();
-    }
-
-    if (build === "saas") {
-        const { tier } = await getOrgTierData(orgId);
-        return tier === TierId.STANDARD;
-    }
-
-    return true;
+export async function isLicensedOrSubscribed(
+    orgId: string,
+    tiers: Tier[]
+): Promise<boolean> {
+    return false;
 }
--- a/server/lib/isSubscribed.ts
+++ b/server/lib/isSubscribed.ts
@@ -0,0 +1,8 @@
+import { Tier } from "@server/types/Tiers";
+
+export async function isSubscribed(
+    orgId: string,
+    tiers: Tier[]
+): Promise<boolean> {
+    return false;
+}
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -3,13 +3,10 @@ import yaml from "js-yaml";
 import { configFilePath1, configFilePath2 } from "./consts";
 import { z } from "zod";
 import stoi from "./stoi";
+import { getEnvOrYaml } from "./getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

-const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
-    return process.env[envVar] ?? valFromYaml;
-};
-
 export const configSchema = z
    .object({
        app: z
@@ -311,7 +308,10 @@ export const configSchema = z
            .object({
                smtp_host: z.string().optional(),
                smtp_port: portSchema.optional(),
-                smtp_user: z.string().optional(),
+                smtp_user: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("EMAIL_SMTP_USER")),
                smtp_pass: z
                    .string()
                    .optional()
@@ -331,7 +331,8 @@ export const configSchema = z
                disable_local_sites: z.boolean().optional(),
                disable_basic_wireguard_sites: z.boolean().optional(),
                disable_config_managed_domains: z.boolean().optional(),
-                disable_product_help_banners: z.boolean().optional()
+                disable_product_help_banners: z.boolean().optional(),
+                disable_enterprise_features: z.boolean().optional()
            })
            .optional(),
        dns: z
--- a/server/license/license.ts
+++ b/server/license/license.ts
@@ -12,6 +12,10 @@ export type LicenseStatus = {
    isLicenseValid: boolean; // Is the license key valid?
    hostId: string; // Host ID
    tier?: LicenseKeyTier;
+    maxSites?: number;
+    usedSites?: number;
+    maxUsers?: number;
+    usedUsers?: number;
 };

 export type LicenseKeyCache = {
@@ -22,12 +26,14 @@ export type LicenseKeyCache = {
    type?: LicenseKeyType;
    tier?: LicenseKeyTier;
    terminateAt?: Date;
+    quantity?: number;
+    quantity_2?: number;
 };

 export class License {
    private serverSecret!: string;

-    constructor(private hostMeta: HostMeta) {}
+    constructor(private hostMeta: HostMeta) { }

    public async check(): Promise<LicenseStatus> {
        return {
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -29,3 +29,4 @@ export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
 export * from "./logActionAudit";
 export * from "./verifyOlmAccess";
+export * from "./verifyLimits";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
+export * from "./verifyApiKeyIdpAccess";
--- a/server/middlewares/integration/verifyApiKeyIdpAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
@@ -0,0 +1,88 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { idp, idpOrg, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyIdpAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!idpId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any IDP in any org
+            return next();
+        }
+
+        const [idpRes] = await db
+            .select()
+            .from(idp)
+            .innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
+            .where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
+            .limit(1);
+
+        if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `IdP with ID ${idpId} not found for organization ${orgId}`
+                )
+            );
+        }
+
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
+                    )
+                );
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying IDP access"
+            )
+        );
+    }
+}
--- a/server/middlewares/integration/verifyApiKeyOrgAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyOrgAccess.ts
@@ -4,7 +4,6 @@ import { apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import logger from "@server/logger";

 export async function verifyApiKeyOrgAccess(
    req: Request,
--- a/server/middlewares/verifyLimits.ts
+++ b/server/middlewares/verifyLimits.ts
@@ -0,0 +1,43 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { usageService } from "@server/lib/billing/usageService";
+import { build } from "@server/build";
+
+export async function verifyLimits(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    if (build != "saas") {
+        return next();
+    }
+
+    const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId;
+
+    if (!orgId) {
+        return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail
+    }
+
+    try {
+        const reject = await usageService.checkLimitSet(orgId);
+
+        if (reject) {
+            return next(
+                createHttpError(
+                    HttpCode.PAYMENT_REQUIRED,
+                    "Organization has exceeded its usage limits. Please upgrade your plan or contact support."
+                )
+            );
+        }
+
+        return next();
+    } catch (e) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error checking limits"
+            )
+        );
+    }
+}
--- a/server/private/lib/billing/getOrgTierData.ts
+++ b/server/private/lib/billing/getOrgTierData.ts
@@ -11,36 +11,59 @@
 * This file is not licensed under the AGPLv3.
 */

-import { getTierPriceSet } from "@server/lib/billing/tiers";
-import { getOrgSubscriptionData } from "#private/routers/billing/getOrgSubscription";
 import { build } from "@server/build";
+import { db, customers, subscriptions } from "@server/db";
+import { Tier } from "@server/types/Tiers";
+import { eq, and, ne } from "drizzle-orm";

 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: string | null; active: boolean }> {
-    let tier = null;
+): Promise<{ tier: Tier | null; active: boolean }> {
+    let tier: Tier | null = null;
    let active = false;

    if (build !== "saas") {
        return { tier, active };
    }

-    const { subscription, items } = await getOrgSubscriptionData(orgId);
+    try {
+        // Get customer for org
+        const [customer] = await db
+            .select()
+            .from(customers)
+            .where(eq(customers.orgId, orgId))
+            .limit(1);

-    if (items && items.length > 0) {
-        const tierPriceSet = getTierPriceSet();
-        // Iterate through tiers in order (earlier keys are higher tiers)
-        for (const [tierId, priceId] of Object.entries(tierPriceSet)) {
-            // Check if any subscription item matches this tier's price ID
-            const matchingItem = items.find((item) => item.priceId === priceId);
-            if (matchingItem) {
-                tier = tierId;
-                break;
+        if (customer) {
+            // Query for active subscriptions that are not license type
+            const [subscription] = await db
+                .select()
+                .from(subscriptions)
+                .where(
+                    and(
+                        eq(subscriptions.customerId, customer.customerId),
+                        eq(subscriptions.status, "active"),
+                        ne(subscriptions.type, "license")
+                    )
+                )
+                .limit(1);
+
+            if (subscription) {
+                // Validate that subscription.type is one of the expected tier values
+                if (
+                    subscription.type === "tier1" ||
+                    subscription.type === "tier2" ||
+                    subscription.type === "tier3"
+                ) {
+                    tier = subscription.type;
+                    active = true;
+                }
            }
        }
+    } catch (error) {
+        // If org not found or error occurs, return null tier and inactive
+        // This is acceptable behavior as per the function signature
    }
-    if (subscription && subscription.status === "active") {
-        active = true;
-    }
+
    return { tier, active };
 }
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -19,7 +19,6 @@ import * as fs from "fs";
 import logger from "@server/logger";
 import cache from "@server/lib/cache";

-let encryptionKeyPath = "";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
 function loadEncryptData() {
@@ -27,15 +26,7 @@ function loadEncryptData() {
        return; // already loaded
    }

-    encryptionKeyPath = config.getRawPrivateConfig().server.encryption_key_path;
-
-    if (!fs.existsSync(encryptionKeyPath)) {
-        throw new Error(
-            "Encryption key file not found. Please generate one first."
-        );
-    }
-
-    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKeyHex = config.getRawPrivateConfig().server.encryption_key;
    encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }

--- a/server/private/lib/checkOrgAccessPolicy.ts
+++ b/server/private/lib/checkOrgAccessPolicy.ts
@@ -13,8 +13,6 @@

 import { build } from "@server/build";
 import { db, Org, orgs, ResourceSession, sessions, users } from "@server/db";
-import { getOrgTierData } from "#private/lib/billing";
-import { TierId } from "@server/lib/billing/tiers";
 import license from "#private/license/license";
 import { eq } from "drizzle-orm";
 import {
@@ -80,6 +78,8 @@ export async function checkOrgAccessPolicy(
        }
    }

+    // TODO: check that the org is subscribed
+
    // get the needed data

    if (!props.org) {
--- a/server/private/lib/config.ts
+++ b/server/private/lib/config.ts
@@ -125,20 +125,14 @@ export class PrivateConfig {
                this.rawPrivateConfig.server.reo_client_id;
        }

-        if (this.rawPrivateConfig.stripe?.s3Bucket) {
-            process.env.S3_BUCKET = this.rawPrivateConfig.stripe.s3Bucket;
-        }
-        if (this.rawPrivateConfig.stripe?.localFilePath) {
-            process.env.LOCAL_FILE_PATH =
-                this.rawPrivateConfig.stripe.localFilePath;
-        }
-        if (this.rawPrivateConfig.stripe?.s3Region) {
-            process.env.S3_REGION = this.rawPrivateConfig.stripe.s3Region;
-        }
        if (this.rawPrivateConfig.flags.use_pangolin_dns) {
            process.env.USE_PANGOLIN_DNS =
                this.rawPrivateConfig.flags.use_pangolin_dns.toString();
        }
+        if (this.rawPrivateConfig.flags.use_org_only_idp) {
+            process.env.USE_ORG_ONLY_IDP =
+                this.rawPrivateConfig.flags.use_org_only_idp.toString();
+        }
    }

    public getRawPrivateConfig() {
--- a/server/private/lib/exitNodes/exitNodeComms.ts
+++ b/server/private/lib/exitNodes/exitNodeComms.ts
@@ -50,10 +50,14 @@ export async function sendToExitNode(
            );
        }

-        return sendToClient(remoteExitNode.remoteExitNodeId, {
-            type: request.remoteType,
-            data: request.data
-        });
+        return sendToClient(
+            remoteExitNode.remoteExitNodeId,
+            {
+                type: request.remoteType,
+                data: request.data
+            },
+            { incrementConfigVersion: true }
+        );
    } else {
        let hostname = exitNode.reachableAt;

--- a/server/private/lib/exitNodes/exitNodes.ts
+++ b/server/private/lib/exitNodes/exitNodes.ts
@@ -288,7 +288,7 @@ export function selectBestExitNode(
    const validNodes = pingResults.filter((n) => !n.error && n.weight > 0);

    if (validNodes.length === 0) {
-        logger.error("No valid exit nodes available");
+        logger.debug("No valid exit nodes available");
        return null;
    }

--- a/server/private/lib/isLicencedOrSubscribed.ts
+++ b/server/private/lib/isLicencedOrSubscribed.ts
@@ -0,0 +1,32 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { build } from "@server/build";
+import license from "#private/license/license";
+import { isSubscribed } from "#private/lib/isSubscribed";
+import { Tier } from "@server/types/Tiers";
+
+export async function isLicensedOrSubscribed(
+    orgId: string,
+    tiers: Tier[]
+): Promise<boolean> {
+    if (build === "enterprise") {
+        return await license.isUnlocked();
+    }
+
+    if (build === "saas") {
+        return isSubscribed(orgId, tiers);
+    }
+
+    return false;
+}
--- a/server/private/lib/isSubscribed.ts
+++ b/server/private/lib/isSubscribed.ts
@@ -0,0 +1,29 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { build } from "@server/build";
+import { getOrgTierData } from "#private/lib/billing";
+import { Tier } from "@server/types/Tiers";
+
+export async function isSubscribed(
+    orgId: string,
+    tiers: Tier[]
+): Promise<boolean> {
+    if (build === "saas") {
+        const { tier, active } = await getOrgTierData(orgId);
+        const isTier = (tier && tiers.includes(tier)) || false;
+        return active && isTier;
+    }
+
+    return false;
+}
--- a/server/private/lib/lock.ts
+++ b/server/private/lib/lock.ts
@@ -24,7 +24,9 @@ export class LockManager {
     */
    async acquireLock(
        lockKey: string,
-        ttlMs: number = 30000
+        ttlMs: number = 30000,
+        maxRetries: number = 3,
+        retryDelayMs: number = 100
    ): Promise<boolean> {
        if (!redis || !redis.status || redis.status !== "ready") {
            return true;
@@ -35,49 +37,67 @@ export class LockManager {
        }:${Date.now()}`;
        const redisKey = `lock:${lockKey}`;

-        try {
-            // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
-            // This is atomic and handles both setting and expiration
-            const result = await redis.set(
-                redisKey,
-                lockValue,
-                "PX",
-                ttlMs,
-                "NX"
-            );
-
-            if (result === "OK") {
-                logger.debug(
-                    `Lock acquired: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
+        for (let attempt = 0; attempt < maxRetries; attempt++) {
+            try {
+                // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
+                // This is atomic and handles both setting and expiration
+                const result = await redis.set(
+                    redisKey,
+                    lockValue,
+                    "PX",
+                    ttlMs,
+                    "NX"
                );
-                return true;
-            }

-            // Check if the existing lock is from this worker (reentrant behavior)
-            const existingValue = await redis.get(redisKey);
-            if (
-                existingValue &&
-                existingValue.startsWith(
-                    `${config.getRawConfig().gerbil.exit_node_name}:`
-                )
-            ) {
-                // Extend the lock TTL since it's the same worker
-                await redis.pexpire(redisKey, ttlMs);
-                logger.debug(
-                    `Lock extended: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
-                );
-                return true;
-            }
+                if (result === "OK") {
+                    logger.debug(
+                        `Lock acquired: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }

-            return false;
-        } catch (error) {
-            logger.error(`Failed to acquire lock ${lockKey}:`, error);
-            return false;
+                // Check if the existing lock is from this worker (reentrant behavior)
+                const existingValue = await redis.get(redisKey);
+                if (
+                    existingValue &&
+                    existingValue.startsWith(
+                        `${config.getRawConfig().gerbil.exit_node_name}:`
+                    )
+                ) {
+                    // Extend the lock TTL since it's the same worker
+                    await redis.pexpire(redisKey, ttlMs);
+                    logger.debug(
+                        `Lock extended: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
+
+                // If this isn't our last attempt, wait before retrying with exponential backoff
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    logger.debug(
+                        `Lock ${lockKey} not available, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`
+                    );
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            } catch (error) {
+                logger.error(`Failed to acquire lock ${lockKey} (attempt ${attempt + 1}/${maxRetries}):`, error);
+                // On error, still retry if we have attempts left
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            }
        }
+
+        logger.debug(
+            `Failed to acquire lock ${lockKey} after ${maxRetries} attempts`
+        );
+        return false;
    }

    /**
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -17,6 +17,7 @@ import { privateConfigFilePath1 } from "@server/lib/consts";
 import { z } from "zod";
 import { colorsSchema } from "@server/lib/colorsSchema";
 import { build } from "@server/build";
+import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

@@ -32,19 +33,29 @@ export const privateConfigSchema = z.object({
        }),
    server: z
        .object({
-            encryption_key_path: z
+            encryption_key: z
                .string()
                .optional()
-                .default("./config/encryption.pem")
-                .pipe(z.string().min(8)),
-            resend_api_key: z.string().optional(),
-            reo_client_id: z.string().optional(),
-            fossorial_api_key: z.string().optional()
+                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
+            resend_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("RESEND_API_KEY")),
+            reo_client_id: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REO_CLIENT_ID")),
+            fossorial_api: z
+                .string()
+                .optional()
+                .default("https://api.fossorial.io"),
+            fossorial_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
        })
        .optional()
-        .default({
-            encryption_key_path: "./config/encryption.pem"
-        }),
+        .prefault({}),
    redis: z
        .object({
            host: z.string(),
@@ -83,7 +94,8 @@ export const privateConfigSchema = z.object({
    flags: z
        .object({
            enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false)
+            use_pangolin_dns: z.boolean().optional().default(false),
+            use_org_only_idp: z.boolean().optional().default(false),
        })
        .optional()
        .prefault({}),
@@ -156,11 +168,17 @@ export const privateConfigSchema = z.object({
        .optional(),
    stripe: z
        .object({
-            secret_key: z.string(),
-            webhook_secret: z.string(),
-            s3Bucket: z.string(),
-            s3Region: z.string().default("us-east-1"),
-            localFilePath: z.string()
+            secret_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
+            webhook_secret: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
+            // s3Bucket: z.string(),
+            // s3Region: z.string().default("us-east-1"),
+            // localFilePath: z.string().optional()
        })
        .optional()
 });
--- a/server/private/lib/redis.ts
+++ b/server/private/lib/redis.ts
@@ -573,6 +573,20 @@ class RedisManager {
        }
    }

+    public async incr(key: string): Promise<number> {
+        if (!this.isRedisEnabled() || !this.writeClient) return 0;
+
+        try {
+            return await this.executeWithRetry(
+                () => this.writeClient!.incr(key),
+                "Redis INCR"
+            );
+        } catch (error) {
+            logger.error("Redis INCR error:", error);
+            return 0;
+        }
+    }
+
    public async sadd(key: string, member: string): Promise<boolean> {
        if (!this.isRedisEnabled() || !this.writeClient) return false;

--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -456,11 +456,11 @@ export async function getTraefikConfig(
                    // );
                } else if (resource.maintenanceModeType === "automatic") {
                    showMaintenancePage = !hasHealthyServers;
-                    if (showMaintenancePage) {
-                        logger.warn(
-                            `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
-                        );
-                    }
+                    // if (showMaintenancePage) {
+                    //     logger.warn(
+                    //         `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
+                    //     );
+                    // }
                }
            }

--- a/server/private/license/license.ts
+++ b/server/private/license/license.ts
@@ -11,12 +11,12 @@
 * This file is not licensed under the AGPLv3.
 */

-import { db, HostMeta } from "@server/db";
+import { db, HostMeta, sites, users } from "@server/db";
 import { hostMeta, licenseKey } from "@server/db";
 import logger from "@server/logger";
 import NodeCache from "node-cache";
 import { validateJWT } from "./licenseJwt";
-import { eq } from "drizzle-orm";
+import { count, eq } from "drizzle-orm";
 import moment from "moment";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import {
@@ -54,6 +54,7 @@ type TokenPayload = {
    type: LicenseKeyType;
    tier: LicenseKeyTier;
    quantity: number;
+    quantity_2: number;
    terminateAt: string; // ISO
    iat: number; // Issued at
 };
@@ -140,10 +141,20 @@ LQIDAQAB
            };
        }

+        // Count used sites and users for license comparison
+        const [siteCountRes] = await db
+            .select({ value: count() })
+            .from(sites);
+        const [userCountRes] = await db
+            .select({ value: count() })
+            .from(users);
+
        const status: LicenseStatus = {
            hostId: this.hostMeta.hostMetaId,
            isHostLicensed: true,
-            isLicenseValid: false
+            isLicenseValid: false,
+            usedSites: siteCountRes?.value ?? 0,
+            usedUsers: userCountRes?.value ?? 0
        };

        this.checkInProgress = true;
@@ -151,6 +162,8 @@ LQIDAQAB
        try {
            if (!this.doRecheck && this.statusCache.has(this.statusKey)) {
                const res = this.statusCache.get("status") as LicenseStatus;
+                res.usedSites = status.usedSites;
+                res.usedUsers = status.usedUsers;
                return res;
            }
            logger.debug("Checking license status...");
@@ -193,7 +206,9 @@ LQIDAQAB
                        type: payload.type,
                        tier: payload.tier,
                        iat: new Date(payload.iat * 1000),
-                        terminateAt: new Date(payload.terminateAt)
+                        terminateAt: new Date(payload.terminateAt),
+                        quantity: payload.quantity,
+                        quantity_2: payload.quantity_2
                    });

                    if (payload.type === "host") {
@@ -292,6 +307,8 @@ LQIDAQAB
                    cached.tier = payload.tier;
                    cached.iat = new Date(payload.iat * 1000);
                    cached.terminateAt = new Date(payload.terminateAt);
+                    cached.quantity = payload.quantity;
+                    cached.quantity_2 = payload.quantity_2;

                    // Encrypt the updated token before storing
                    const encryptedKey = encrypt(
@@ -317,7 +334,7 @@ LQIDAQAB
                }
            }

-            // Compute host status
+            // Compute host status: quantity = users, quantity_2 = sites
            for (const key of keys) {
                const cached = newCache.get(key.licenseKey)!;

@@ -329,6 +346,28 @@ LQIDAQAB
                if (!cached.valid) {
                    continue;
                }
+
+                // Only consider quantity if defined and >= 0 (quantity = users, quantity_2 = sites)
+                if (
+                    cached.quantity_2 !== undefined &&
+                    cached.quantity_2 >= 0
+                ) {
+                    status.maxSites =
+                        (status.maxSites ?? 0) + cached.quantity_2;
+                }
+                if (cached.quantity !== undefined && cached.quantity >= 0) {
+                    status.maxUsers = (status.maxUsers ?? 0) + cached.quantity;
+                }
+            }
+
+            // Invalidate license if over user or site limits
+            if (
+                (status.maxSites !== undefined &&
+                    (status.usedSites ?? 0) > status.maxSites) ||
+                (status.maxUsers !== undefined &&
+                    (status.usedUsers ?? 0) > status.maxUsers)
+            ) {
+                status.isLicenseValid = false;
            }

            // Invalidate old cache and set new cache
@@ -502,7 +541,7 @@ LQIDAQAB
                    // Calculate exponential backoff delay
                    const retryDelay = Math.floor(
                        initialRetryDelay *
-                            Math.pow(exponentialFactor, attempt - 1)
+                        Math.pow(exponentialFactor, attempt - 1)
                    );

                    logger.debug(
--- a/server/private/middlewares/verifySubscription.ts
+++ b/server/private/middlewares/verifySubscription.ts
@@ -16,35 +16,61 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
+import { Tier } from "@server/types/Tiers";
+
+export function verifyValidSubscription(tiers: Tier[]) {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            if (build != "saas") {
+                return next();
+            }
+
+            const orgId =
+                req.params.orgId ||
+                req.body.orgId ||
+                req.query.orgId ||
+                req.userOrgId;
+
+            if (!orgId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Organization ID is required to verify subscription"
+                    )
+                );
+            }
+
+            const { tier, active } = await getOrgTierData(orgId);
+            const isTier = tiers.includes(tier as Tier);
+            if (!active) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Organization does not have an active subscription"
+                    )
+                );
+            }
+            if (!isTier) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Organization subscription tier does not have access to this feature"
+                    )
+                );
+            }

-export async function verifyValidSubscription(
-    req: Request,
-    res: Response,
-    next: NextFunction
-) {
-    try {
-        if (build != "saas") {
            return next();
-        }
-
-        const tier = await getOrgTierData(req.params.orgId);
-
-        if (!tier.active) {
+        } catch (e) {
            return next(
                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "Organization does not have an active subscription"
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying subscription"
                )
            );
        }
-
-        return next();
-    } catch (e) {
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Error verifying subscription"
-            )
-        );
-    }
+    };
 }
--- a/server/private/routers/approvals/countApprovals.ts
+++ b/server/private/routers/approvals/countApprovals.ts
@@ -0,0 +1,110 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import type { Request, Response, NextFunction } from "express";
+import { approvals, db, type Approval } from "@server/db";
+import { eq, sql, and } from "drizzle-orm";
+import response from "@server/lib/response";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const querySchema = z.strictObject({
+    approvalState: z
+        .enum(["pending", "approved", "denied", "all"])
+        .optional()
+        .default("all")
+        .catch("all")
+});
+
+export type CountApprovalsResponse = {
+    count: number;
+};
+
+export async function countApprovals(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { approvalState } = parsedQuery.data;
+        const { orgId } = parsedParams.data;
+
+        let state: Array<Approval["decision"]> = [];
+        switch (approvalState) {
+            case "pending":
+                state = ["pending"];
+                break;
+            case "approved":
+                state = ["approved"];
+                break;
+            case "denied":
+                state = ["denied"];
+                break;
+            default:
+                state = ["approved", "denied", "pending"];
+        }
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(approvals)
+            .where(
+                and(
+                    eq(approvals.orgId, orgId),
+                    sql`${approvals.decision} in ${state}`
+                )
+            );
+
+        return response<CountApprovalsResponse>(res, {
+            data: {
+                count
+            },
+            success: true,
+            error: false,
+            message: "Approval count retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/private/routers/approvals/index.ts
+++ b/server/private/routers/approvals/index.ts
@@ -0,0 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./listApprovals";
+export * from "./processPendingApproval";
+export * from "./countApprovals";
--- a/server/private/routers/approvals/listApprovals.ts
+++ b/server/private/routers/approvals/listApprovals.ts
@@ -0,0 +1,254 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import type { Request, Response, NextFunction } from "express";
+import { build } from "@server/build";
+import {
+    approvals,
+    clients,
+    db,
+    users,
+    olms,
+    currentFingerprint,
+    type Approval
+} from "@server/db";
+import { eq, isNull, sql, not, and, desc } from "drizzle-orm";
+import response from "@server/lib/response";
+import { getUserDeviceName } from "@server/db/names";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const querySchema = z.strictObject({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    approvalState: z
+        .enum(["pending", "approved", "denied", "all"])
+        .optional()
+        .default("all")
+        .catch("all"),
+    clientId: z
+        .string()
+        .optional()
+        .transform((val) => (val ? Number(val) : undefined))
+        .pipe(z.number().int().positive().optional())
+});
+
+async function queryApprovals(
+    orgId: string,
+    limit: number,
+    offset: number,
+    approvalState: z.infer<typeof querySchema>["approvalState"],
+    clientId?: number
+) {
+    let state: Array<Approval["decision"]> = [];
+    switch (approvalState) {
+        case "pending":
+            state = ["pending"];
+            break;
+        case "approved":
+            state = ["approved"];
+            break;
+        case "denied":
+            state = ["denied"];
+            break;
+        default:
+            state = ["approved", "denied", "pending"];
+    }
+
+    const res = await db
+        .select({
+            approvalId: approvals.approvalId,
+            orgId: approvals.orgId,
+            clientId: approvals.clientId,
+            decision: approvals.decision,
+            type: approvals.type,
+            user: {
+                name: users.name,
+                userId: users.userId,
+                username: users.username,
+                email: users.email
+            },
+            clientName: clients.name,
+            niceId: clients.niceId,
+            deviceModel: currentFingerprint.deviceModel,
+            fingerprintPlatform: currentFingerprint.platform,
+            fingerprintOsVersion: currentFingerprint.osVersion,
+            fingerprintKernelVersion: currentFingerprint.kernelVersion,
+            fingerprintArch: currentFingerprint.arch,
+            fingerprintSerialNumber: currentFingerprint.serialNumber,
+            fingerprintUsername: currentFingerprint.username,
+            fingerprintHostname: currentFingerprint.hostname
+        })
+        .from(approvals)
+        .innerJoin(users, and(eq(approvals.userId, users.userId)))
+        .leftJoin(
+            clients,
+            and(
+                eq(approvals.clientId, clients.clientId),
+                not(isNull(clients.userId)) // only user devices
+            )
+        )
+        .leftJoin(olms, eq(clients.clientId, olms.clientId))
+        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId))
+        .where(
+            and(
+                eq(approvals.orgId, orgId),
+                sql`${approvals.decision} in ${state}`,
+                ...(clientId ? [eq(approvals.clientId, clientId)] : [])
+            )
+        )
+        .orderBy(
+            sql`CASE ${approvals.decision} WHEN 'pending' THEN 0 ELSE 1 END`,
+            desc(approvals.timestamp)
+        )
+        .limit(limit)
+        .offset(offset);
+
+    // Process results to format device names and build fingerprint objects
+    return res.map((approval) => {
+        const model = approval.deviceModel || null;
+        const deviceName = approval.clientName
+            ? getUserDeviceName(model, approval.clientName)
+            : null;
+
+        // Build fingerprint object if any fingerprint data exists
+        const hasFingerprintData =
+            approval.fingerprintPlatform ||
+            approval.fingerprintOsVersion ||
+            approval.fingerprintKernelVersion ||
+            approval.fingerprintArch ||
+            approval.fingerprintSerialNumber ||
+            approval.fingerprintUsername ||
+            approval.fingerprintHostname ||
+            approval.deviceModel;
+
+        const fingerprint = hasFingerprintData
+            ? {
+                platform: approval.fingerprintPlatform || null,
+                osVersion: approval.fingerprintOsVersion || null,
+                kernelVersion: approval.fingerprintKernelVersion || null,
+                arch: approval.fingerprintArch || null,
+                deviceModel: approval.deviceModel || null,
+                serialNumber: approval.fingerprintSerialNumber || null,
+                username: approval.fingerprintUsername || null,
+                hostname: approval.fingerprintHostname || null
+            }
+            : null;
+
+        const {
+            clientName,
+            deviceModel,
+            fingerprintPlatform,
+            fingerprintOsVersion,
+            fingerprintKernelVersion,
+            fingerprintArch,
+            fingerprintSerialNumber,
+            fingerprintUsername,
+            fingerprintHostname,
+            ...rest
+        } = approval;
+
+        return {
+            ...rest,
+            deviceName,
+            fingerprint,
+            niceId: approval.niceId || null
+        };
+    });
+}
+
+export type ListApprovalsResponse = {
+    approvals: NonNullable<Awaited<ReturnType<typeof queryApprovals>>>;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listApprovals(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+        const { limit, offset, approvalState, clientId } = parsedQuery.data;
+
+        const { orgId } = parsedParams.data;
+
+        const approvalsList = await queryApprovals(
+            orgId.toString(),
+            limit,
+            offset,
+            approvalState,
+            clientId
+        );
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(approvals);
+
+        return response<ListApprovalsResponse>(res, {
+            data: {
+                approvals: approvalsList,
+                pagination: {
+                    total: count,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Approvals retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/Show More
+++ b/Show More